Authenticating and authorizing through a redirect URL
You can use a service that is hosted externally from IBM® API Connect to collect authentication and authorization details from your user when an application requests access on that user's behalf.
Before you begin
To complete this task, you will need to either create or have created an OAuth security definition that uses Implicit grant type or Access Code (Authorization Code) grant type. For more information, see Creating an OAuth security definition.
About this task
If you use methods for authentication that are not supported by API Connect, you can redirect users to a suitable URL at which they can authenticate. The user is then returned to the OAuth process after authentication and authorization have been confirmed.
To create an external form, and to indicate the URL to which API Connect will redirect users, complete the following instructions:
Create your service for authentication and authorization. You will use the URL of the landing
page of this service as your redirect URL.
To include elements in your form that are provided by API Connect, use the
following query parameters from the URL that your user is redirected to.
Note: With the exception of
original-url, none of these parameters are included in the URL automatically; you must add them as required.
The URL to which the user is sent to when they are redirected to your page has the following form:
- The name of the application requesting access, as provided through the Developer Portal.
- The id of the application requesting access.
- The name of the catalog where the product is being used by the application.
- The id of the catalog where the product is being used by the application.
- User-friendly display name for the catalog.
- The name of the consumer organization that hosts the application.
- The id of the consumer organization that hosts the application.
- User-friendly display name for the organization.
- The original URL that the user was directed to by the application, including query parameters
from the original URL that are necessary for standard OAuth 2.0 requests. You can include these
parameters in your service to provide information to the user. Additionally the state_nonce is
appended. The state_nonce is a hash code generated by API Connect for verification
purposes. The URL is URL-encoded and should be decoded before further use, the
state_nonceshould remain unchanged.
- The name of the API provider organization.
- The id of the API provider organization.
- User-friendly display name for the provider organization.
- [optional] If Application Scope check is
enabled and replaces the
scopefrom the initial application request, this field holds the
scopevalue from the initial application request, and the new replacement scope value is put into
- transaction id used in the GW for the transaction which trigger this call
where all variables are as described previously. The Redirect URL does not have a size limit enforced by API Connect.
Create the stages of authentication, authorization, and any intermediate stages that you
require to take place before you allow access to the application. Upon completion of these stages,
redirect the user to the Original_URL and append a user name, their confirmation
code, and the application name to be evaluated for access grant or denial by API Connect. The confirmation code
does not have a size limit enforced by API Connect.
Original URL requires the following form:
where all variables are as described previously.For example:
To send your own error responses after the authentication and authorization service, redirect
the user to the Original_URL and append an error code. You can also append a user
name. Use the following form:
where Error_Response is the message you wish to send and all other variables are described as previously.For example:
- To include elements in your form that are provided by API Connect, use the following query parameters from the URL that your user is redirected to.
- In your OAuth provider configuration, supply the redirect URL that is used in Step 1 and the authentication URL that is used in Step 2.