Set up API Gateway OAuth 2.0

Contents

Overview
Enable OAuth 2.0 management
Import client applications
Migrate client applications
Upgrade API Gateway configuration

Overview

This chapter describes how to configure the OAuth 2.0 support provided with the API Gateway. It describes how to enable the OAuth 2.0 endpoints used to manage client applications, and how to import the preregistered examples provided with the API Gateway. It also explains how to migrate existing OAuth 2.0 applications.

Enable OAuth 2.0 management

Enable OAuth endpoints

The OAuth service is not available in the basic installation. You must deploy it manually. A convenience script is provided in $VDISTDIR/samples/scripts/oauth for deploying the OAuth 2.0 services listener, supporting policies, and sample applications. VDISTDIR is the directory in which API Gateway is installed. You can run the script from $VDISTDIR/samples/scripts as follows:

UNIX/Linux 

./run.sh oauth/deployOAuthConfig.py --type=authzserver

Windows 

run.bat oauth\deployOAuthConfig.py --type=authzserver

The parameters for the script are as follows: 

  Usage: deployOAuthConfig.py [options]

  Options:
    -h, --help            show this help message and exit
    -u USERNAME, --username=USERNAME
                          The user to connect to the topology (default 'admin')
    -p PASSWORD, --password=PASSWORD
                          The password for the user to connect to the topology
                          connect user (default 'changeme')
    --port=PORT           The port the Client Application Registry is listening on
                          (default 8089)
    --admin=ADMIN         The Client Application Registry admin name (default
                          regadmin)
    --adminpw=ADMINPW     The Client Application Registry admin password
                          (default changeme)
    --type=TYPE           The deployment type: "authzserver", "clientdemo" or
                          "all" (default all)
    -g GROUP, --group=GROUP
                          The group name
    -n SERVICE, --service=SERVICE
                          The service name

The API Gateway provides the following endpoints used to manage OAuth 2.0 client applications:

Description URL

Authorization Endpoint (REST API)

https://apigateway:8089/api/oauth/authorize

Token Endpoint (REST API)

https://apigateway:8089/api/oauth/token

Token Info Endpoint (REST API)

https://apigateway:8089/api/oauth/tokeninfo

Revoke Endpoint (REST API)

https://apigateway:8089/api/oauth/revoke

Oracle Client Application Registry (HTML Interface)

https://apigateway:8089

Oracle Client Application Registry (REST API)

https://apigateway:8089/api/kps/ClientApplicationRegistry


In this table, apigateway refers to the machine on which API Gateway is installed.

[Important] Important

You must first enable the OAuth listener port in the API Gateway before these endpoints are available.

Enable OAuth endpoints

To enable the OAuth management endpoints on your API Gateway, perform the following steps:

  1. In the Policy Studio tree view, select Listeners > API Gateway > OAuth 2.0 Services > Ports.

  2. Right-click the OAuth 2.0 Interface in the panel on the right, and select Edit.

  3. Select Enable Interface in the dialog.

  4. Click the Deploy button in the toolbar.

  5. Enter a description and click Finish.

[Note] Note

On Linux-based systems, such as Oracle Enterprise Linux, you must open the firewall to allow external access to port 8089. If you need to change the port number, set the value of the env.PORT.OAUTH2.SERVICES environment variable. For details on setting external environment variables for API Gateway instances, see the API Gateway Deployment and Promotion Guide.

Import client applications

Import the sample client applications

The API Gateway ships with a number of preregistered sample client applications. If you have used the deployOAuthConfig.py script to deploy the OAuth service, these samples will already be imported. If the script was not used, the samples will not be imported. For more information on using the deployOAuthConfig.py script, see the section called “Enable OAuth 2.0 management”. This section explains how to manually import the sample applications into the Client Application Registry.

[Note] Note

The sample client applications are for demonstration purposes only and should be removed before moving the Authorization Server into production.

For example, the default example client applications include the following:

Client ID Client Secret

SampleConfidentialApp

6808d4b6-ef09-4b0d-8f28-3b05da9c48ec

SamplePublicApp

3b001542-e348-443b-9ca2-2f38bd3f3e84


Import the sample client applications

To import the preregistered example client applications, perform the following steps:

  1. Access the Client Application Registry Web interface at the following URL: 

    https://localhost:8089

  2. Enter the default username/password of admin/changeme.

  3. Click the Import button at the top right of the window.

  4. Select the following sample file in the dialog: 

    $VDISTDIR/samples/scripts/oauth/sampleapps.dat

    VDISTDIR specifies the directory in which the API Gateway is installed.

  5. You can also enter a Decryption Secret in the dialog. However, the sampleapps.dat file is in plaintext format, and does not require a password.

  6. Click OK to import the two sample applications. The following figure shows these applications imported into the Client Application Registry:

    Client Application Registry HTML Interface

Alternatively, you can use the following script to import the sample client application data without using the Client Application Registry web interface: 

$VDISTDIR/samples/scripts/oauth/importSampleData.py

You can edit this script to configure your user credentials and file location.

Migrate client applications

Migrate existing client applications

If you are migrating from API Gateway version 11.1.2.0.x, you can use the following script to migrate your existing OAuth client applications: 

$VDISTDIR/samples/scripts/oauth/migrateFrom71.py

This script enables you to first export your existing client application data, which you can then import as described in the section called “Import client applications”. This script has a --password parameter if you wish to encrypt the exported data for transport.

Migrate existing client applications

To migrate your existing client applications, perform the following steps:

  1. After installing API Gateway 11.1.2.3.0, copy the $VDISTIR/samples/oauth/migrateFrom71.py file to the same location in your existing API Gateway 11.1.2.0.x installation: 

    $VDISTIR/samples/oauth/migrateFrom71.py

  2. In your existing API Gateway 11.1.2.0.x installation, ensure that $VDISTIR/samples/scripts/common.py has the correct defServerName and defGroupName variables set for your existing topology.

  3. Run the migrateFrom71.py script against your running version 11.1.2.0.x Admin Node Manager and API Gateway. The script outputs the following file: 

    $VDISTIR/samples/oauth/appregistry/encodedapps.dat

    [Note] Note

    To encrypt the data, run the script with the --password parameter.

  4. Check the encodedapps.dat file to ensure that the export has been successful.

  5. Import the encodedapps.dat output by the script into a running API Gateway 11.1.2.3.0 using the Client Application Registry web interface. For more details, see the section called “Import client applications”. When importing encrypted data, you must enter a password in the Decryption Secret field.

Upgrade API Gateway configuration

If you are migrating from a previous API Gateway version, you must upgrade your API Gateway configuration. To generate an upgraded API Gateway version 11.1.2.3.0 configuration, perform the following steps:

  1. Run the following script from your version 11.1.2.3.0 installation directory: 

    11.1.2.3.0_INSTALL_DIR/platform/bin/upgradeConfig 
 --groups -d OLD_VERSION_INSTALL_DIR 
 -o path/to/upgrade/output/

  2. In Policy Studio, select File > Open File.

  3. Specify the following file: 

    path/to/upgrade/output/groups/group-2/conf/<guid>/configs.xml

  4. In the open configuration in the Policy Studio tree, under Key Property Stores, delete ApiKeyStore and ClientApplicationRegistry.

  5. Select File > Save > Deployment Package to export a .fed file.

  6. Start the version 11.1.2.3.0 Admin Node Manager and API Gateway instance.

  7. In Policy Studio, close the connection to the file, and connect to the now running 11.1.2.3.0 Admin Node Manager. Before connecting to the API Gateway instance, click Deploy.

  8. Click Browse for .fed, and select the .fed file exported previously.

  9. Import the client applications using the the web-based portal on https://localhost:8089 by clicking Import, and browsing to the file created in the previous section: 

    11.1.2.3.0_INSTALL_DIR/samples/oauth/appregistry/encodedapps.dat

For more details on upgrading API Gateway configuration, see the API Gateway Installation and Configuration Guide.

Prev  Up  Next
  Home