Tutorial: Implementing OpenID Connect Security

This tutorial shows you how to add OpenID Connect capability to an existing native OAuth provider using API Manager.

About this tutorial

In this tutorial you will complete the following lessons:

Add OIDC capability to an OAuth native provider
Test OIDC Security

Before you begin

In this tutorial you will implement and test OpenID Connect security. To complete this tutorial, you must have the following available:

An existing published native OAuth provider. If you do not have an API available, complete the Tutorial: Implementing OAuth Security tutorial.
An external application, such as cURL, used to send requests to the OAuth token provider endpoint.

Note: The Sandbox catalog must be configured to use either a DataPower® Gateway (v5 compatible) or a DataPower API Gateway or both. See Creating and configuring Catalogs.

Add OIDC capability to an OAuth native provider

To add OIDC security to a native OAuth provider by using API Manager, complete the following steps:

Log in to API Manager.
Click the Resources icon in the side bar.
Click OAuth Providers.
Click the name of an available OAuth provider, such as MainProviderOA.
The Info page appears. Click Introspection. Note that introspection is not required, but provides helpful debugging capabilities.
Select Introspection.
Click Save.
Click OpenID Connect on the side bar.
Select Enable OIDC.
Select Auto Generate OIDC API Assembly.
Enter a JWK in the ID token signing key field. Here is an example. { "alg": "HS256", "kty": "oct", "use": "sig", "k": "o5yErLaE-dbgVpSw65Rq57OA9dHyaF66Q_Et5azPa-XUjbyP0w9iRWhR4kru09aFfQLXeIODIN4uhjElYKXt8n76jt0Pjkd2pqk4t9abRF6tnL19GV4pflfL6uvVKkP4weOh39tqHt4TmkBgF2P-gFhgssZpjwq6l82fz3dUhQ2nkzoLA_CnyDGLZLd7SZ1yv73uzfE2Ot813zmig8KTMEMWVcWSDvy61F06vs_6LURcq_IEEevUiubBxG5S2akNnWigfpbhWYjMI5M22FOCpdcDBt4L7K1-yHt95Siz0QUb0MNlT_X8F76wH7_A37GpKKJGqeaiNWmHkgWdE8QWDQ", "kid": "hs256-key" }
Select HS256 in the ID token signing algorithm field.
Click Save.
Click the Manage icon in the side bar.
Click the Sandbox catalog icon.
Click the Settings icon in the side bar.
Click API Endpoints .
Make a note of the gateway URL. You will need this to obtain an OAuth token.

Verify or create test application credentials

You will need the client ID and client secret for an application to test the OIDC functionality. You obtained this information during the completion of the Tutorial: Creating a Client Application tutorial listed in the Prerequisites.

Note: These steps are necessary only if you did not make note of the credentials for the client application you previously created.

Click the Applications icon in the side bar.
Click the v (down arrow) icon to display subscriptoions for the AppOne application, and verify that the FindBranch auto product is listed.
Click the Options icon at the end of the AppOne row in the applications table. Select Credentials.
Click Add.
Copy both the Client ID and Client Secret (you need these values to obtain an OAuth token). Click Create to add the new credentials to the AppOne application.
Click the Back arrow until you see the Manage page.

Test OIDC Security

Note: Due to Cross-Origin Resource Sharing (CORS) restrictions, the assembly test tool cannot be used with the Chrome or Safari browsers on the macOS Catalina platform.

To test the new OIDC security added to the API, complete the following steps:

Click Develop in the side bar.
On the Develop page, click the name of the API that uses the OAuth provider to which you added OIDC. This tutorial uses the FindBranch API.
Click Assemble in the page header to open the Test panel.
Click the Test icon .
In the Test panel's "Setup" section, click Republish product.

You must now resubscribe the test application to the updated product.
Open a copy of the API Manager in a new browser tab.
For example, in Windows, right-click API Manager in the page header, and select Open Link in New Tab.

Complete the following steps to subscribe the client app to the updated API:
1. In the newly opened browser tab, log in to API Manager.
2. On the Home page, click Manage in the navigation list.
3. Click the Sandbox catalog.
4. Click Applications to open the list of available applications.
5. Click the Options icon for the AppOne application, and select Create subscription.
6. Select FindBranch auto product, and click Create.
Return to the browser tab where you opened the Test panel.
Select get /details in the Operation field.
Paste the application's client ID in the clientId field.
Paste the application's client secret in the clientSecret field.
Enter user in the Username field, and enter pass in the Password field.
Obtain an OAuth token. For example, run the following cURL command in a command window to obtain the token:
curl -k https://gateway_url/org_name/sandbox/mainprovideroa/oauth2/token -d "grant_type=password&scope=details openid&username=user&password=pass&client_id=app_client_id&client_secret=app_client_secret"
Introspect the token. In this case, cURL is used to obtain the data returned from the introspection endpoint. Use a command similar to the following command.
curl -k https://gateway_url/org_name/sandbox/mainprovideroa/oauth2/introspect -d "username=user&password=pass&client_id=app_client_id&client_secret=app_client_secret&token=Atokenstring"
Enter or paste the access token in the explorer_access_token field, and then click explorer_authorize.
Here is an example token: AAIgMTNhYjc2YTIwMGQ2MjY3ODU2Nzk3MDA3MGQ4MjlhOWVB6SC-uB9MEh0fTFeBHneCvKiDtIpfjgqgIbQ2jx64CVhWbgaOQdCS16IpSkLfIfJqOn8CGheVM9vFWVDIfHLv4u0HhVhGdCNu7xfWgkQl3w
Click Invoke to execute the API call.
You might see a yellow error box with a URL embedded in it. Click this URL to override the indicated browser certificate error.
Click Invoke again. The response contains branch data and the HTTP status 200 OK.