OAuth2 Authentication¶
By default, OAuth2 authentication is enabled for all the APIs. The default configuration expects a bearer token in the request header Authorization
. You can disable the OAuth2 authentication or use a custom Authentication header for OAuth2 authentication.
Before you begin¶
You can use the apk-conf file which is created in Create an API documentation and save this content into a file named EmployeeServiceDisabledOAuth2.apk-conf
.
Sample content before the modification is shown below.
name: "EmployeeServiceAPI"
basePath: "/test"
version: "3.14"
type: "REST"
defaultVersion: false
endpointConfigurations:
production:
endpoint: "https://run.mocky.io/v3/1327c339-354b-4080-8296-f6268365e67b"
operations:
- target: "/employee"
verb: "GET"
secured: true
scopes: []
- target: "/employee"
verb: "POST"
secured: true
scopes: []
- target: "/employee/{employeeId}"
verb: "PUT"
secured: true
scopes: []
- target: "/employee/{employeeId}"
verb: "DELETE"
secured: true
scopes: []
Disable OAuth2 authentication¶
Modify the content with the following config to disable OAuth2
authentication:
- authType: OAuth2
enabled: false
Sample APK configuration content after the modification to disable OAuth2 is shown below.
name: "EmployeeServiceAPI"
basePath: "/test"
version: "3.14"
type: "REST"
defaultVersion: false
endpointConfigurations:
production:
endpoint: "https://run.mocky.io/v3/1327c339-354b-4080-8296-f6268365e67b"
operations:
- target: "/employee"
verb: "GET"
secured: true
scopes: []
- target: "/employee"
verb: "POST"
secured: true
scopes: []
- target: "/employee/{employeeId}"
verb: "PUT"
secured: true
scopes: []
- target: "/employee/{employeeId}"
verb: "DELETE"
secured: true
scopes: []
authentication:
- authType: OAuth2
enabled: false
Deploy the APK configuration. As you have not added any other authentication, you will be able to invoke requests without providing any security credentials. However, if you add API key authentication to the configuration, you will receive a 401 response, even if you use a valid access token, since you have disabled OAuth2 authentication but added API-KEY.
Use custom bearer header name¶
Modify the content with the following config to use custom auth header name
authentication:
- authType: OAuth2
headerName: testAuth
Sample APK configuration content after the modification to use a custom auth header name is shown below.
name: "EmployeeServiceAPI"
basePath: "/test"
version: "3.14"
type: "REST"
defaultVersion: false
endpointConfigurations:
production:
endpoint: "https://run.mocky.io/v3/1327c339-354b-4080-8296-f6268365e67b"
operations:
- target: "/employee"
verb: "GET"
secured: true
scopes: []
- target: "/employee"
verb: "POST"
secured: true
scopes: []
- target: "/employee/{employeeId}"
verb: "PUT"
secured: true
scopes: []
- target: "/employee/{employeeId}"
verb: "DELETE"
secured: true
scopes: []
authentication:
- authType: OAuth2
headerName: testAuth
Deploy the APK configuration. Try invoking the request with a valid token in the Authorization header; you will receive a 401 response. Now, try with the testAuth header and a valid access token; you should receive a successful response.
Pass the OAuth2 Token to Backend¶
Modify the content with the following config to send the OAuth2 header to backend.
authentication:
- authType: OAuth2
headerName: Authorization
sendTokenToUpstream: true
Sample APK configuration content after the modification to send the OAuth2 header to the backend is shown below.
name: "EmployeeServiceAPI"
basePath: "/test"
version: "3.14"
type: "REST"
defaultVersion: false
endpointConfigurations:
production:
endpoint: "https://run.mocky.io/v3/1327c339-354b-4080-8296-f6268365e67b"
operations:
- target: "/employee"
verb: "GET"
secured: true
scopes: []
- target: "/employee"
verb: "POST"
secured: true
scopes: []
- target: "/employee/{employeeId}"
verb: "PUT"
secured: true
scopes: []
- target: "/employee/{employeeId}"
verb: "DELETE"
secured: true
scopes: []
authentication:
- authType: OAuth2
headerName: Authorization
sendTokenToUpstream: true
Deploy the APK configuration. Try invoking the request with a valid token in the Authorization header; you will receive a 200 response. Check the backend to see it receiving the OAuth2 token in the same header.