Implementing OAuth 2.0 with Oracle API Gateway with 2 or More Nodes [ARTICLE]

Version 10

    Using OAuth 2.0 to authenticate and authorize partners to call APIs in Oracle API Gateway works well in a dev environment with a single node Gateway. That's not the case when it runs in a UAT environment with two Gateway nodes on different machines. This article by Marcelo Franca offers a solution.



    I recently participated in a project with Oracle API Gateway (OAG), using OAuth2.0 to authenticate and authorize partners to call  APIs. The flow is simple: the partner calls  OAG through the POST method with client ID and secret ID, and then returns the access token with scopes. This works well while in the development environment with a single node Gateway. However, when it runs in a User Acceptance testing (UAT) environment with two  Gateway nodes not on the same machine, and the client reaches node 2,  OAG can’t find the OAuth client_id and the authorization is denied.


    By default, OAG  installs and uses the Cassandra database to store tokens, and access code and client for authorization. When it's needed to distribute through two nodes or more, a shared structure is necessary to store that information. This article describes how to create the new shared structure using the Oracle Database.


    Tested Environment Requirements



    • oagpolicystudio
    • apigateway server


    Plugin Firefox

    • HTTP Requester

    Oracle Database Express Edition 11g Release 2



    Setup Environment


    1 - Run scripts of path:




    • kps.sql
    • oauth-client.sql
    • oauth-server.sql


    2 – Change parameter policystudio to show hidden files


    Edit the file OAG_HOME/oagpolicystudio/policystudio.ini and include the following line at the end of file:




    3 – Create database connection


    Initiate the Policy Studio tool to connect in Gateway 1. Go to the  “Database connections” tab and create the new database connection with the name “OAuth KPS Database.”



    URL : jdbc:oracle:thin:@myenvironment:1521:xe. Click Test Connection; you should to see Test Connection OK.


    4 – Change Data Sources OAuth


    4.1 - Go to Key Property Stores > OAuth. In the Data Sources tab, click Add:



    4.2 - Select the Database option. Enter the name OAuth KPS Connection” and in the Database connection field, choose the value created in Step 3, “OAuth KPS Database”.  Click OK.


    4.3 - Go to the Properties tab. In the Default Data Source” field, select the item created earlier: “OAuth KPS Connection”. Click Save.



    5 – Change Data Sources API Server


    Repeat steps 4.1, 4.2 and 4.3 for “API Server,” as shown below:



    6 – Alter OAuth Stores


    Go to option Libraries > OAuth2 Stores > Access Token Stores > OAuth Access Token Store. Click Edit “Access Token Store“ and select “Store in a database,“ choosing “OAuth KPS Database”.



    7 - Repeat Step 6 for the items below:

    • Libraries > OAuth2 Stores > Authorization Code Stores > Authz Code Store
    • Libraries > OAuth2 Stores > Client Access Token Stores > OAuth Client Access Token Store


    8 – Test Configurations, Open Firefox and go to http requester plugin


    8.1 - Server 1 get token.


    Call service https://server1:port/api/oauth/token






    8.2 - Server 2 with token info.


    Call service https://server2:port/api/oauth/tokeninfo with token recovered at item 8.1.








    Now we can use Oracle API Gateway with two or more nodes, sharing the same Database repository.