How To Connect With MasterCard APIs With OAuth 1.0 For Authentication Via MuleSoft

In this article, we will learn how to make calls to the third party APIs which use OAuth 1.0 as authentication method using MuleSoft. The HTTP request connector does not support OAuth 1.0 hence we will be using the dataweave to dynamically compute the OAuth 1.0 parameters. Here we are using Mastercard APIS for the demonstration.

Pre-requisite:

1. Anypoint studio.
2. Trial account and necessary access for the Mastercard portal.

Let’s get started:

1. Once you create the account in Mastercard (https://developer.mastercard.com/) then navigate under “Projects” and create a new Project.

2. Set up the project and provide the project name then you will be able to download the .p12 keystore file. The PKCS#12 keystore contains the private key used for signing requests to Mastercard APIs.

3. Save your keystore credentials.

4. Navigate to the project section and open the project which is created above. Save the consumerKey for later use.

5. Go through the API documentation and call one of the api ‘getDataSource’ from the postman as shown below:

Edit ‘Authorization’ section with-

• Type = OAuth 1.0
• Add authorization data to = Request header.
• Signature Method = RSA-SHA256
• Consumer Key = Retrieved from step 4.
• Private Key = The private key is encrypted in the keystore file retrieved from step 3. Convert the P12 key into an RSA key using the following command openssl pkcs12 -in ‘mykey.p12’ | openssl rsa -out myrsa.key.
• Version = 1.0
• Enable the option for ‘Include buddy hash’.
• Enable the option for ‘Encode the Parameters in the Authorization’.
• oauth_nonce and oauth_timestamp = The OAuth nonce is a random string, uniquely generated for each request and also unique within a given time window.
  The request timestamp is a positive integer representing the number of seconds since 1970. It must match the current time. In this example, 1558370962 is equivalent to 05/20/2019 @ 4:49pm (UTC).The timestamp and nonce pair must be unique.
• Oauth_body_hash = It contains a base64-encoded SHA-256 digest of the body.
• Oauth_signature = This is the base64-encoded RSA signature of the request, produced using your private signing key.

6. We invoked the Mastercard API from the postman and it was successful. Now we will make this call from the MuleSoft application.

Create a sample application in MuleSoft as shown below:

a) Set private Key — This transformation contains the private key retrieved from keystore file.

b) OAuth_signature — This transform message contains the dataweave code for generating the OAuth parameters.

%dw 2.0
output application/json
import dw::Crypto
import * from dw::core::Binaries
import toBinary from dw::core::Numbers
import withMaxSize from dw::core::Strings
import toBase64 from dw::core::Binaries
import * from dw::core::URL
var http_method = "POST"
var base_url = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXl"
var query_string = payload
var oauth_consumer_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
fun generateString(n: Number) = 
do {var x = ('0123456789' ++ 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' ++ 'abcdefghijklmnopqrstuvwxyz')
  ---
  0 to (n-1) reduce (item, acc="11") -> acc ++ x[ceil(random()*sizeOf(x))]}
var oauth_nonce = generateString(11)
var oauth_timestamp = now() as Number
var oauth_signature_method = "RSA-SHA256"
var oauth_version = "1.0"
var consumer_secret = vars.privateKey
var oauth_body_hash = encodeURIComponent(toBase64(Crypto::hashWith(payload, "SHA-256")))
var parameter_string = encodeURIComponent('oauth_body_hash=') ++ oauth_body_hash ++ encodeURIComponent('&oauth_consumer_key=' ++ oauth_consumer_key ++
 '&oauth_nonce=' ++ oauth_nonce ++ '&oauth_signature_method=' ++ oauth_signature_method ++ '&oauth_timestamp=' ++ oauth_timestamp ++ '&oauth_version=' 
  ++ oauth_version) 
var signature_base_string = http_method ++ '&' ++ encodeURIComponent(base_url)  ++ '&' ++ parameter_string
var signing_key = consumer_secret
---
{
    http_method: http_method,
    base_url: base_url,
    query_string: query_string,
    oauth_consumer_key: oauth_consumer_key,
    oauth_signature_method: oauth_signature_method,
    oauth_timestamp: oauth_timestamp,
    oauth_nonce: oauth_nonce,
    oauth_version: oauth_version,
    consumer_secret: consumer_secret,
    signing_key: signing_key,
    parameter_string: parameter_string,
    signature_base_string: signature_base_string,
    oauth_body_hash: oauth_body_hash,
    signature: toHex(Crypto::hashWith(signature_base_string as Binary, "SHA-256"))
}

c) Generate Signature: Here the Signature base string needs to be Signed with the RSH-SHA256 algorithm.

To perform this action we have used ‘Dataweave JWT Library’ (https://www.mulesoft.com/exchange/68ef9520-24e9-4cf2-b2f5-620025690913/data-weave-jwt-library/minor/1.0/pages/RSA/#alg-index)

d) Authorization header = Here the Authorizationheader is prepared by concatenating all the fields mentioned above.

e) Convert header to string = Here the authorization header is converted in string format.

f) Request Mastercard api = Here the http request is made to Mastercard api by passing the authorization header, the payload and the content type.

7. Deploy the code and test.