webMethods and Intelligent Business Operations 10.2 | API Gateway User's Guide | API Gateway Administration | Security Configuration | OAuth 2.0 | Adding an OAuth 2.0 Partner Provider
 
Adding an OAuth 2.0 Partner Provider
Pre-requisites:
You must have the API Gateway's manage security configurations functional privilege assigned to add a partner provider.
The OAuth 2.0 configuration in API Gateway is split into two sections - Partner providers and Authorization servers.
The Partner providers section includes provider-specific information for API Gateway to communicate with the OAuth 2.0 provider.
* To add an OAuth 2.0 partner provider
1. Select Username > Administration.
2. Select Security > OAuth 2.0.
3. In the Partner providers section, click Add provider.
4. Provide the following information:
Field
Description
Name
Name of a third-party OAuth 2.0 provider. For example, Amazon.
You can also use one of the following pre-configured third-party providers that is shipped with the API Gateway installation:
*PingFederate
*OKTA
Scope management ESB service
Name of an IS service that creates and manages the scopes in the OAuth 2.0 authorization server.
You might use the Scope management ESB service field when adding a third-party OAuth 2.0 provider that is not shipped with API Gateway. The OAuth 2.0 scope management does not have any predefined standards, and the implementation for managing the OAuth 2.0 scopes could be varying with different providers. API Gateway uses the IS service to create and manage the OAuth 2.0 scopes in the configured OAuth 2.0 authorization server.
API Gateway would send a specific set of parameters to the IS service for the scope management. For details on the parameters for an IS service, see below.
Client metadata field mapping. Specifies the mapping of OAuth 2.0 dynamic client registration specification to that of the client implementation of the OAuth 2.0 provider.
The Client metadata field mapping fields are required when you are adding a third-party provider that is not shipped with API Gateway.
Specification name
The client metadata attributes in accordance with the OAuth 2.0 Dynamic Client Registration specification as defined in RFC 7591.
redirect_uris. Redirection URL that the OAuth 2.0 authorization server uses to redirect the authorization code once the authorization request is approved by end user.
Note: If you do not specify this attribute, API Gateway automatically generates the URL.
token_endpoint_auth_method. The OAuth 2.0 client authentication method at the token endpoint.
grant_types. The grant type of OAuth 2.0 authorization flow to obtain authorization codes, ID tokens, and refresh tokens.
response_types. The type of response that the client application uses at the OAuth 2.0 authorization endpoint.
client_name. Name of the client to use to represent the client application to the end user during authorization.
client_uri. URL of the client application.
logo_uri. URL of an image to use to represent the client application to the end user during authorization.
Note: The logo_uri is currently not supported in API Gateway.
scope. List of user-authorized scopes that the client uses for requesting access tokens.
Note: If you do not specify this attribute, the authorization server registers the client with a default set of scopes.
contacts. The means (for example, Email address) by which end users can contact the client for support requests.
tos_uri. URL of the service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client.
Note: The tos_uri is currently not supported in API Gateway.
jwks_uri. URL of the JSON Web Key (JWK) Set document containing the client's public keys.
Note: The jwks_uri is currently not supported in API Gateway.
client_id. Identifier that is unique to the client application.
client_secret. The password or phrase for the client application to use to authorize communication with the end user.
Implementation name
The client metadata attributes that are used by the OAuth 2.0 authorization server, but are not in accordance with the OAuth 2.0 Dynamic Client Registration specification.
Example:
*For the redirect_uris field, provide the value redirectUris.
*For the grant_types field, provide the value grantTypes.
*For the client_name field, provide the value name.
*For the logo_uri field, provide the value logoUrl.
*For the client_id field, provide the value clientId.
*For the client_secret field, provide the value secret.
Extended request parameters. Specifies the additional client metadata attributes that are specific to the OAuth 2.0 authorization server, and are not specified in the OAuth 2.0 Dynamic Client Registration specification.
In PingFederate (For example):
forceSecretChange = true
Key
The client metadata attribute that is specific to the OAuth 2.0 authorization server.
Value
A value for the client metadata attribute. When sending requests to the authorization server, this value is appended to all requests.
5. Click Save.
The OAuth 2.0 partner provider is added. You can add as many partner providers as required.
Parameters for IS Service
API Gateway would send the following configuration parameters to an IS service for scope management:
Parameter
Description
action
Specifies the action you want to perform on an OAuth 2.0 scope.
Possible values are: create and delete.
scopeName
Specifies the name of an OAuth 2.0 scope that is to be created in OAuth 2.0 authorization server.
scopeDescription
Specifies the description of an OAuth 2.0 scope that is to be created in OAuth 2.0 authorization server.
providerName
Specifies the name of an OAuth 2.0 provider.
endpoints
Specifies the Endpoint URL details to create, update, and delete OAuth 2.0 scopes.
endpoint
Specifies an Endpoint URL to create, update, and delete an OAuth 2.0 scope.
headers
Specifies one or more HTTP authorization headers that API Gateway would use to send OAuth 2.0 scope details to OAuth 2.0 authorization server.
https
Specifies the transport protocol that API Gateway would use to send OAuth 2.0 scope details to OAuth 2.0 authorization server.
Possible values are: true and false.
A value of true allows API Gateway send OAuth 2.0 scope details to OAuth 2.0 authorization server using the HTTP protocol.
A value of false allows API Gateway send OAuth 2.0 scope details to OAuth 2.0 authorization server using the HTTPS protocol.
keyStoreAlias
Specifies the alias of keystore containing the private key to secure communication between API Gateway and OAuth 2.0 authorization server.
keyAlias
Specifies the alias for private key to validate the HTTP requests from client applications.
authorizationInfo: Specifies the alias of OAuth 2.0 authorization server.
type
Specifies the type of authentication scheme that API Gateway would use to communicate with the OAuth 2.0 authorization server for OAuth 2.0 scope management.
Possible values are: basic and token.
username
Specifies the username to access the protected resources.
password
Specifies a valid password associated with the username.
tokentype
Specifies the type of token that would be contained in the HTTP request.
token
Specifies the token that would be contained in the HTTP request.
Copyright © 2015- 2018 | Software AG, Darmstadt, Germany and/or Software AG USA, Inc., Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.
Innovation Release