For external management systems getting access to the platform through the APS bus, the platform supports authentication and authorization via the OAuth Core 1.0 Revision A (hereafter OAuth-1.0a) protocol.
In this document:
The OAuth authentication protocol requires access to the platform only through a UI brand access point with activated APS booster using the HTTPS protocol.
If your platform is in production, it must already have a UI node or UI cluster with APS booster available through HTTPS. If it does not, follow the platform deployment guide to setup the UI cluster with APS booster.
To verify if REST requests go through APS booster, check HTTP headers in a response message. One of them must be
X-APSBooster-Response:true
.
If you have an APS Sandbox and for simplicity do not want to configure a separate UI node, then you should configure a UI with a brand access point directly on the management node.
After the above configuration, get access to the platform through the HTTPS protocol, for example:
https://a.isv1.apsdemo.org
.
The OAuth-1.0a protocol requires a sender to have a trusted pair of consumer key and secret. You can generate that pair for a user whose credentials an external system will use to manage resources in the platform.
In the provider control panel, create a special staff member whose OAuth credentials the external management system will use.
For the new staff member, generate the OAuth credentials:
In the provider control panel, open the details of the newly created staff member.
On the APS Bus Access tab, click Create to generate the Consumer Key and Consumer Secret.
Warning
The consumer secret is visible only once. After you leave the screen, the consumer secret will not be visible anymore. So, it makes sense to save it immediately.
In the Allowed Operations section, add a separate entry for a group of allowed custom operations exposed by a certain APS type. Each entry consists of two parts:
In the following example, the user is allowed to operate orders through the order manager by means of GET and POST requests:
Note
To use OAuth-1.0a supported by the platform, choose a REST client that meets the following requirements.
The client must be able to construct the Authorization header compliant with the OAuth-1a protocol.
It means the client must accept the two parameters that the platform generates - consumer key and consumer secret - and then construct the other required OAuth parameters in the header as in the following example:
Authorization: OAuth
oauth_consumer_key="LFkJjlAjluEfL57dRxNnsi6WWMDduxEl",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1508234992",
oauth_nonce="kUO2sQ",
oauth_version="1.0",
oauth_signature="nYuf8bT3rOOMaMJR9ZosPKoNupo%3D"
The client must be able to send REST requests through the HTTPS protocol and accept self-signed SSL certificates when testing some operations on a test platform.
The client must not encode special symbols used in Resource Query Language (RQL). For example, some REST clients replace parenthesis ‘(‘ and ‘)’ respectively for ‘%28’ and ‘%29’, which is not acceptable for the RQL parser.
If your management system uses some scripts or binary executables based on a programming language, the best way is to find out a library or modules that support the OAuth-1.0a protocol in that language.
A simple Python script may look as follows:
from requests_oauthlib import OAuth1Session
# Enter input parameters:
consumer_key = 'ug7nnV3aq4VwGQQzyiFRDSGwa7QZY0YE'
consumer_secret = 'cccMHKhIIVupWAEWtYeQmg9DVe0DSP...'
url = 'https://a.isv1.apsdemo.org/aps/2/resources'
# Set session parameters and get response:
session = OAuth1Session(consumer_key, consumer_secret)
response = session.get(url, verify=False)
print response.text
The script requires the requests_oauthlib
module that you can install through the Python package manager:
$ sudo pip install requests_oauthlib
This is a quick demo illustrating generic and custom REST operations on the platform:
You can also find out a GUI tool that meets the above requirements. A GUI client helps you test some key operations before implementing them in a management system. For example, the Insomnia REST client meets all the above requirements. The latter is used in the following example.
The preferences and request settings of Insomnia allow you to disable validation of SSL certificates and disable URL encoding.
The OAuth 1.0 configuration section allows you to select the HMAC-SHA1 signature method, enter a consumer key,
consumer secret, and the OAuth protocol version in order to construct all other fields for the Authorization
header.
When using HTTPS in your browser and REST client, you may meet with the following cases when your action is rejected:
The platform allows the provider to have multiple resellers of various levels that need to access REST API in order to implement various integration scenarios such as CRM or Billing integration. To allow those systems to get access to the platform, the provider should consider the following ways:
Note
The second way is recommended, as a specialized API gateway usually provides numerous features to improve the quality of API services, for example, by rejecting improper requests and using API analytics tools.
The provider uses the following platform features to control access through an API gateway:
The following is a typical scenario of setting and using an API gateway for a reseller.
The provider subscribes to a third party API gateway service and configures the acquired gateway to forward APS REST requests to the platform.
Note
The provider must ensure that the API gateway forwards its domain name in the
X-Forwarded-Host header.
Actually, it must forward the host name specified by the client in the Host
header.
In the simplest configuration, the API gateway forwards all REST requests containing the /aps/2/resources/
prefix
in the URL.
The provider configures other API gateway specific services, for example, security restrictions and API analytics.
The provider logs to the RCP on behalf of the reseller who requires an API gateway, then navigates to System > Settings and in the Systems Properties enters the API gateway URL in the APS OAuth API Gateway URL property.
As explained in the Set up User’s Credentials section, the provider or an authorized reseller staff member creates and configures a user with a generated pair Key/Secret and a list of REST operations allowed on the APS bus for that user. The reseller’s external systems will use those credentials to send REST requests.
A reseller’s external system can send the allowed REST calls through the API gate using the pair of OAuth Key/Secret for authentication and authorization. For example:
GET https://api.gate-provider.test:10443/aps/2/resources
The platform security system accepts an incoming request if its OAuth signature in the Authorization
header
is based on the correct gateway URL as configured by the respective APS OAuth API Gateway URL property.
Note
If an API gateway URL is configured for a reseller the platform does not accept APS requests coming in any other ways than through that gateway from any system authenticated as a user of that reseller.
Recursively, a reseller can downstream the APS OAuth API Gateway URL property to sub-resellers. A reseller’s staff member can configure it themselves in their own reseller account if they are granted the “System Configuration”=”Manage” privilege.