Securing REST APIs in Gen™ with OAuth2

Many modern applications use RESTful APIs to share data with remote systems. At times, this data can be sensitive, so the remote services secure the data with some form of authentication to prevent unauthorized access. This could be as simple as sending a predefined key or user name and password on the HTTP request, but these approaches are not as robust as using a token with an expiration time. The OAuth2 authentication scheme uses a multi-legged approach to make it harder to break into systems:

• Both the client and the server provide part of the authentication process.
• OAuth2 tokens have a limited lifespan, minimizing the window for malicious use if compromised.

In this article we will show you how easy it is to use Gen’s native support for OAuth2 authentication when consuming (calling out to) REST APIs from Gen applications.

The OAuth2 authentication process is really just an additional REST API call. The Gen runtime first calls the authentication server to retrieve the token and then calls the actual API to execute the desired functionality. To simplify development, Gen allows for the inclusion of OAuth2 properties when a REST call is defined. This allows users to perform the entire authorization and execution sequence in one statement, using the specification that OpenAPI defines by default. Figure 1 shows the parameters Gen provides when an API call uses OAuth2.

Figure 1: REST Parameter Matching

To use OAuth2 authentication with Gen, you will need:

• the client id
• the client secret
• the URL for the token endpoint
• the scope information (sometimes)

The client id and client secret are provided when you register with the authentication provider. The token endpoint provides Gen with a token that is passed to the REST API to indicate whether you have permission to use the function you are requesting. Some sites have finer-grained permissions and use scope information. Scopes can be thought of like grants in a database — a user may have permission to read data, but not to write. Generally if your scope does not match the permissions for the API call, your application will receive a 403 (Forbidden) response from the remote server.

Steps to configure OAuth2 authentication with Gen:

1. Determine if the API you are using requires OAuth2 authentication. The API provider should tell you, or you can get that information from the OpenAPI specification
2. If the API does require authentication, make sure that the API provider has given you valid credentials for the authentication server.
3. Try out the authentication using a tool like Postman to make sure you can receive a token from the authenticator.
4. Again, using Postman or a tool like it, test the REST method. Quite often when using REST, just ensuring you have the correct parameters and authentication can go a long way toward resolving issues down the line.
5. Create the Call REST action block, remembering to map the token URL, client ID, and client secret to views in your action block. ( See Figure 1)
6. Use the authentication configuration parameters if needed. You can set separate timeouts and certificate validations for the authentication service and the main REST service if desired.
7. Generate and build your code. Your application will handle all of the communication to process your REST requests.

Conclusion:

REST APIs are a great way to get more value from your business applications. OAuth2 Authentication ensures your sensitive data remains secure. Gen’s native support of OAuth2 simplifies the development process by enabling you to configure your authentication parameters within your Call REST statement. To learn about Gen’s natively supported security schemes, check out Gen Tech Docs: Authentication for REST API Calls.