Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

API Management: Unlocking OAuth Strategies

Avinash_Vaidya
Product and Topic Expert
Product and Topic Expert
3 weeks ago

Introduction

In today's rapidly evolving enterprise landscape, the API-first approach has emerged as a cornerstone for organizations striving to stay competitive and relevant. At the heart of this approach lies API management, a central place for the orchestration, optimization, and security of APIs.

In this blog, I will elaborate the authorization considerations surrounding APIs, as well as the OAuth strategies I've investigated and encountered during my learning journey and professional experience.

If you are new to API management I highly recommend going through the help doc to get basic knowledge of API management capability before diving into this blog.

Through out the blog, I have added links to some learning journeys / blogs which you can refer. I thought this is better instead of rewriting the same content which is already well written.

I will structure the blog in below sections

  1. Pre-requisites
  2. Creating a simple integration flow
  3. Securing integration flows
    1. Exploring API Management OAuth Policy
    2. Extending OAuth Beyond API Management
  4. Testing steps to test both solution approaches.
  5. Conclusion

Pre-requisites

  1. SAP BTP account or trail account
  2. Integration Suite Tenant with below capabilities
    1. Cloud Integration
    2. API Management (ensure you have proper roles assigned)
  3. Process Integration Runtime service
  4. Insomnia or Postman client

Creating simple integration flow

I created a simple integration flow and deployed it as a REST API in the cloud integration tenant. This integration flow does following things

1. Logs the incoming message as attachment

2. Persists the message in JMS queue

Note - This is the basic integration flow. Consider it as a mock iflow which can be replaced by any other iflow based on the business use case.

Figure-1: Integration FlowFigure-1: Integration Flow

Securing integration flows 

In an enterprise landscape, you will always come across situations, that you have to expose your integration flows using API management. Ofcourse Integration suite provides API management capability which can seamlessly wrap the integration flows and create an API proxy.

One of the important question always comes up - How to secure your APIs/iflows? The obvious answer is OAuth 2.0 (Open Authorization 2.0).

Here I will showcase, 2 solution approaches to secure the API with OAuth 2.0. 

  1. Exploring API Management OAuth Policy: API Management provides security policies which can be used out of the box.
    1. Create an API Proxy. Configure -- APIs -- OAuthService. This Service will be used to generate the token. Follow Step 1 (1 - Create the Token Endpoint) from this blog
    2. Create another API - LogMessageAPI as a proxy to the iflow. We will add token validation in this proxy. Define the API by referring the Step 2: Define the API from this learning journey.
    3. In the LogMessageAPI:
      1. Add policy template to the LogMessageAPI as mentioned in Step 3, 4 and 5 of this learning journey
      2. Add VerifyAccessToken policy as the first policy in the pre-flow of the ProxyEndpoint using OAuthV2 in the LogMessageAPI proxy. 
        <OAuthV2 async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
   <!-- this flag has to be set when you want to work with third-party access tokens -->
   <ExternalAuthorization>false</ExternalAuthorization>
   <!-- valid values are GenerateAccessToken, GenerateAccessTokenImplicitGrant, GenerateAuthorizationCode ,
    RefreshAccessToken , VerifyAccessToken , InvalidateToken , ValidateToken  -->
   <Operation>VerifyAccessToken</Operation>
   <GenerateResponse enabled="true"/><SupportedGrantTypes/>
   <Tokens/>
</OAuthV2>
    4. Once you deploy the OAuthService and LogMessageAPI and publish the product to API Business Hub Enterprise, you will get the application key and application secret which can be used as client id and client secret to get the token.
    5. In this way, you can use the inbuilt OAuth policy to generate the OAuth token and to validate the token for other API proxies.
  2. Extending OAuth Beyond API Management: Let us dive deeper into another approach where we can use the process integration runtime OAuth server to generate the token through OAuthService API. 
    1. Create an API Proxy. Configure -- APIs -- OAuthService.
    2. Import the policy template in the pre-flow of the ProxyEndpoint. I have exported my policy template and is available in GitHub - https://github.com/avinashvaidya09/apimanagementpolicytemplate 
    3. Each policy is listed and briefly described below - 
      1. lookupOAuthToken - Using LookupCache policy, checks if access token is available in cache.
      2. extractRequestHeader - Using ExtractVariables policy, extracts the client id and client secret from the request headers.
      3. getBTPOAuthMetadata - Using KeyValueMapOperations policy, finds the BTP oauth token url saved in the key value map
      4. setAuthorization - Using BasicAuthentication policy, creates Authorization object.
      5. callBTPOAuthService - Using ServiceCallout policy, calls external BTP OAuth token url.
      6. raiseException - Using raiseException policy, raises exception if BTP OAuth token url returns exception.
      7. extractVariablesFromOAuthResponse - Using ExtractVariables policy, extracts token response.
      8. populateOAuthToken - Using PopulateCache policy, populates access token in cache which will be used by point 1.
    4. Go to your BTP subaccount -- Create instance of Process Integration Runtime.
    5. Create a service key and get the OAuth metadata
      1. client id
      2. client secret
      3. token url
    6. Add the token url in the key value map in API configuration to make it externalized. This token url will be used in the service call out policy - callBTPOAuthService
    7. Save and and deploy the OAuthService.
    8. Ensure the integration flow is deployed. Get the endpoint URL.
    9. Create another API - LogMessageAPI as a proxy to the iflow. Define the API by referring the Step 2: Define the API from this learning journey.
    10. In this API, you do not have to define any access token validation policy, but the bearer token will be forwarded to the integration flow and will be validated directly by process integration runtime.

Test your APIs

  • Download any REST client like - Insomnia or Postman.
  • Deploy the API proxies and get the endpoints
  1. Testing approach - 1:
    1. Go to API Business Hub Enterprise. Create Application and add the product containing both the API proxies.
    2. Get the application secret and application key after the application is created.
    3. Create new HTTP request for API proxy OAuthService endpoint.
    4. Add client id - client id will be the application key from point 2.
    5. Add client secret - client secret will be the application secret from point 2. 
    6. Add grant type - client_credentials
    7. Add Content-Type - application/x-www-form-urlencoded
    8. Get the access token.
    9. Create new HTTP request with API management LogMessageAPI endpoint. 
      1. Add access token
      2. Add sample JSON payload
    10. Execute the request.
    11. Go to integration suite - Monitor - Integration & APIs. You should see a message in the queue. Click on the message id and you will land on the executed iflow with payload attached for reference.
  2. Testing approach - 2:
    1. Create new HTTP request with API management OAuthService endpoint.
    2. Add client id - client id from process integration runtime service key.
    3. Add client secret - client secret from process integration runtime service key.
    4. Content-Type - application/x-www-form-urlencoded
    5. Get the access token
    6. Create new HTTP request with API management LogMessageAPI endpoint. 
      1. Add access token
      2. Add sample JSON payload
    7. Execute the request.
    8. Go to integration suite - Monitor - Integration & APIs - Message Queues. You should see a messages in the queue. Click on the message id and you will land on the executed iflow with payload attached for reference.

Conclusion

Drawing from my experience, I must emphasize that these insights can serve as a starting point, though their applicability may vary based on specific scenarios.

This is just a glimpse of wide set of capabilities offered by SAP Integration Suite and API management. Stay curious! Keep learning!

To get more updates about this topic, please follow the below pages

Feel free to “like“, “Share“, “Add a Comment” and to get more updates about my next blogs follow me – avinash.vaidya@sap.com 

Labels in this area
Popular Blog Posts