OAuth with SAP API Management (HCP) – Part 2
In Part1 of our OAuth client credential flow tutorial, we created a token endpoint and created a resource to be protected by an OAuth verification policy.
Referring to our diagram below, we did implement steps 1 and 2, and we’ll implement the remaining steps in this tutorial.
3- Create an API product
The “API product” is a SAP API Management term, and implements the ability to create logical bundles of APIs.
You can enhance these bundles with quotas: for instance a premium set of APIS – ie. API Product – has a quota of 1000 requests per minute. A “free” set of APIs may be limited to 1000 request per month.
You can also set an OAuth scope on the API product level, to restrict access to your APIs.
To create the API Product, log into your HCP tenant and navigate to your API Management Service.
Go the the API proxy page, and click on the “PRODUCT” tab.
Now click on “Create” and create a new product that includes our previously created “OAuthTestProxy” API.
Give it the name “OAuthTestProduct“.
Your API product should look like this:
This product is now available to Application Developers. They access and subscribe to this API product using the Developer Portal.
4- Create an application
Log into your Developer Portal and click on the “OAuthTestProduct”.
The details to the API product are displayed. Click on the “Subscribe” link at the bottom of your screen. Select “New Application”.
Enter a name for your Application, such as “OAuthTestApplication“.
The “Callback URL” is not needed but this would be used for a three-legged OAuth authorization scenario.
Click on “Save”.
As you can see, you now have an application key and an application secret, that you can use to generate an OAuth access token.
5- Get an access token
Now that we have all elements in place, we can test our use case.
First of all, we need to get a token from our token endpoint.
This is done by making a call to the token endpoint, by specifying the client id and client secret of the application.
This is done through a “POST” method, and the body being sent as x-www-form-urlencoded.
Create a new request in POSTMAN, and set its settings as follows:
– Method: POST
– URL: https://your_APIM_Service/v1/OAuthService/GenerateToken
client_id: set it to the Application key
client_secret: set it to the Application secret
Once the request is in place, you may want to save it for next tests since the token will expire.
Notice that the response carries an element called “access_token“. This is the string we want to use when calling an OAuth-protected resource.
6- Call the protected resource
This is the last step of our tutorial: we will make a call to our protected resource.
To do so , let’s create a new request in Postman.
– Method: GET
– URL: https://your_APIM_Service/v1/OAuthTest/Test1
Value: “Bearer ” + the access token from the previous request
Example: “Bearer KJD2uiKJ98Hkjhh2773d”
Be careful that the “Authorization” value is set to “Bearer” followed by a space and the access_token.
As you can see, we are getting the response we specified for the “Test1” resource.
If you change the access token, you will be forbidden the access.
As you could see throughout this tutorial, it’s quite easy to use OAuth within SAP API Management.
Furthermore, you get a specification-compliant OAuth v2 endpoint to facilitate the implementation of any scenario you may have.
The “credential flow” is only one aspect of OAuth, but thanks to the flexibility of SAP API Management, you can implement any OAuth flow that will suit your needs.