webMethods and Intelligent Business Operations 10.2 | API Gateway User's Guide | API Gateway Administration | Security Configuration | OAuth 2.0 | Adding an OAuth 2.0 Authorization Server
 
Adding an OAuth 2.0 Authorization Server
Pre-requisites:
You must have the API Gateway's manage security configurations functional privilege assigned to add an authorization server.
The OAuth 2.0 configuration in API Gateway is split into two sections - Partner providers and Authorization servers.
The Authorization servers section provides information on the OAuth 2.0 endpoint URLs, such as metadata URLs, dynamic client registration endpoint URLs, and scope management URLs, SSL configuration, and user authentication (HTTP basic or Bearer token).
* To add an OAuth 2.0 authorization server
1. Select Username > Administration.
2. Select Security > OAuth 2.0.
3. In the Authorization servers section, click Add authorization server.
This opens the Add authorization server page. This page is split into the following sections:
*Endpoints
*Authentication
*SSL Configuration
*Metadata
*Token introspection
If you want to expand or collapse a section, use the up arrow () and down arrow () icons that appear next to the section name.
4. Provide the following information:
Field
Description
Authorization server alias
Alias of the authorization server.
Provider name
Name of a third-party OAuth 2.0 provider.
5. In the Endpoints section, click Add endpoints and provide the following information to add the required OAuth 2.0 endpoints:
Field
Description
Use keystore
Select Use keystore to allow client authentication only over a two-way SSL connection.
Type
Select one or more Endpoint URL types to create, update, and delete client applications and scopes.
*Client read: Fetches the details of a client application specified by the clientId.
*Client registration: Registers a client application in the authorization server.
*Client update: Updates the configuration of a client application specified by the clientId.
*Client delete: Deletes a client application specified by the clientId.
*Scope read: Fetches the details of a scope specified by the scopeId.
*Scope create: Creates a scope for the authorization server.
*Scope update: Updates the configuration of a scope specified by the scopeId.
*Scope delete: Deletes a scope specified by the scopeId.
For example, to update an OAuth client application or an OAuth scope, the endpoint URL should be specified as:
PUT /oauth2/v1/clients/:clientId
PUT /oauth2/v1/scopes/:scopeId
In the above endpoint URLs, the clientId and scopeId should be specified in a set of curly braces.
PUT /oauth2/v1/clients/{client_id}
PUT /oauth2/v1/scopes/{scope_id}
URL
Specifies the corresponding REST endpoint URLs for the client configuration and scope configuration of REST APIs.
Headers
Specifies the authorization header that API Gateway should send to the OAuth 2.0 authorization server.
Key
The HTTP header key that should be included in the authorization header of API requests.
Value
The HTTP header value that should be included in the authorization header of API requests.
6. In the Authentication section, provide the following information for OAuth 2.0 authentication scheme.
Field
Description
Type
Specifies the type of authentication scheme that API Gateway would use to communicate with the OAuth 2.0 authorization server for client and scope management.
Basic. Specifies the username and password information that would be passed in the authorization header of HTTP request for client authentication.
Username. The username to access the protected resources of REST APIs.
Password. A valid password associated with the username.
Token. Specifies the token information that would be added as a bearer token in the HTTP request for client authentication.
Token type. The type of token that would be contained in the HTTP request.
Token. The token that would be contained in the HTTP requests.
7. In the SSL Configuration section, provide the following information for OAuth 2.0 SSL configuration.
Field
Description
Keystore alias
Alias of the keystore containing the private key that is used for a secured communication between API Gateway and OAuth 2.0 authorization server.
The Keystore alias box lists all the keystore aliases available in API Gateway. If there are no configured keystore aliases, this box lists the default Integration Server keystore, DEFAULT_IS_KEYSTORE.
Key alias
Alias for the private key to use to validate the HTTP requests from the client.
The Key alias box is auto-populated and lists all the aliases available in the selected keystore. If there are no configured keystores, this list box is empty.
8. In the Metadata section, provide the following information for OAuth 2.0 authorization server metadata.
Field
Description
Access token URL
The endpoint URL on the authorization server through which the client application exchanges the authorization code, client ID, and client secret, for an access token.
Authorize URL
The endpoint URL on the authorization server through which the end user authenticates and grants authorization to the client application.
Refresh token URL
The endpoint URL on the authorization server through which the client application refreshes an expired access token.
9. In the Instrospection endpoint configuration section, provide the following information for OAuth 2.0 token introspection.
Field
Description
Introspection endpoint
URL of the token introspection endpoint of a third-party OAuth 2.0 authorization server. API Gateway uses the introspection endpoint to check that access tokens used in client requests are currently active.
User
The Integration Server user that API Gateway uses to invoke the token introspection endpoint.
Client ID
ID of the introspection client on the OAuth 2.0 authorization server that API Gateway uses to introspect the access tokens.
Client secret
Password of the introspection client that API Gateway uses to introspect the access tokens.
Keystore alias
Alias of the keystore that API Gateway uses to communicate with the OAuth 2.0 authorization server during a mutual (two-way) SSL handshake.
The Keystore alias field contains a list of the available keystore aliases in API Gateway. If there are no configured keystore aliases, this field displays the DEFAULT_IS_KEYSTORE.
Note: You need to select a keystore alias only when the client account on the corresponding OAuth 2.0 authorization server is configured to use mutual (two-way) SSL.
Key alias
Alias of the private key that API Gateway uses to communicate with the third-party OAuth 2.0 authorization server during a mutual (two-way) SSL handshake.
The Key alias field contains a list of the available aliases in the selected keystore. If there are no configured keystores, this field is empty.
Note: You need to select a key alias only when the client account on the corresponding OAuth 2.0 authorization server is configured to use mutual (two-way) SSL.
Truststore alias
Alias of the truststore on API Gateway that holds the Certificate Authority (CA) certificate of third-party OAuth 2.0 authorization server.
Note: You need to select a truststore alias only when all of the following are true:
*The client account on the third-party OAuth 2.0 authorization server is configured to use mutual (two-way) SSL, and
*The authorization server’s Certificate Authority certificate is not in the set of well-known authorities trusted by the JVM in which API Gateway runs.
10. Click Save.
The OAuth 2.0 authorization server is added. You can add as many authorization servers as required, but only one is the default at any given time.

Copyright © 2015- 2018 | Software AG, Darmstadt, Germany and/or Software AG USA, Inc., Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.
Innovation Release