Go to All Forums

OAuth2 Support for API Monitors

Would be nice if there was a way to monitor APIs that are secured by OAuth2. Example:

Monitor an API called /Status requires a bearer token in the authorization header which is retrieved from a call to /Auth with a client key and secret. This is the client_credentials flow.


Reply 1
Replies (15)

Re: OAuth2 Support for API Monitors

You can use our Web Application monitoring capability to monitor OAuth2 workflow stated above.

I hope the API can be loaded in a Browser. If yes,  Goto Admin Tab-> Inventory -> Monitors -> Add Monitor -> Web Application. Then follow the instructions in the page.

This monitor will work based on Web Crawling mechanism with cookie management and can capture the above said workflow.

Let me know if you need any clarification on setting up this monitor.
Reply 0

Re: OAuth2 Support for API Monitors

The API cannot be loaded in a simple browser due to custom headers required by OAuth2 needing to be set. The other issue with the Web Application flow is that it is an advanced monitor, which are much more expensive vs using simple API monitoring, especially when you have 10+ of them to monitor.

What I was hoping for was similar to how the API Monitor has native support for Basic Auth, it could similarly have an oAuth2 option when one would enter the token url, and any required headers, then using your json response parser, pluck out the field for the token which could then be packed into the header for the actual API request to the authorized resource.

Another possibility that would be more generic would be to have the ability to save a variable from a standard response and reference it in another monitor. So for example, create a standard REST API monitor for the token service, parse the json to retrieve the token itself and add the ability save that parsed out response (token in this case) to a variable (simple string). This way you could make many other monitors that could grab that token variable and pack it into the authorization header of their calls. In practice, this would be setup to make 1 request to the token service, let's say every hour (or whatever the token expiry is), save the token and then make a call to the authorized API's at the 5min rate referencing the token variable. 

Example:

(Content section of a REST API Monitor for the Token service)


Configuration section of another REST API Monitor for an authorized endpoint that needs the token

Reply 2

Re : OAuth2 Support for API Monitors

That is a great suggestion. I will discuss this internally and get back to you.
Reply 0

Re : OAuth2 Support for API Monitors

Can you provide access to your API endpoint ?  

We would like to understand the following on OAuth2 workflow:

  • Will it automatically redirect to OAuth2 token url when we access the API or just error will be thrown ?
  • Can there be a persistent auth token for accessing API or it will vary for every other requests to API end point ?
Answer to the above will be more helpful.


Reply 0

Re: OAuth2 Support for API Monitors

We don't have an API we can give out unfortunately, but there are many example on the web that use oauth2 client credentials flow. There are other oauth2 flows out there, such as resource owner (password) as well that have a similar mechanism, but with different headers in the auth call

If you just call a secured API directly (without a token) it will throw a 401 unauthorized, you must first call the /token url, passing in the appropriate headers (grant_type, client_id, client_secret and other optional ones depending on the implementation). It will return a response like this upon successful auth:

{ "access_token": "31d9fda8-4694-427b-af57-90853907daf3", "token_type": "bearer", "expires_in": 42381 }

the access_token and token_type are concatenated and packed into the authorization header of the subsequent api calls to /some_secured_resource:

Authorization: bearer 31d9fda8-4694-427b-af57-90853907daf3

this token can be persistent for as long as the expires_in (seconds) is valid. This is why my second example of storing the token in a variable might be more useful. You can schedule a call to the token url to match the expiry, which shouldn't change.



Reply 0

Re: OAuth2 Support for API Monitors

I am also interested in having this feature. Has there been any progress on this feature request?

Reply 0

Re: Re: OAuth2 Support for API Monitors

Hello Team,

We are waiting for update on this request.  

Re: OAuth2 Support for API Monitors

Hi,

We haven't taken up this feature yet.  

However we understood the requirement clearly, and will support it in REST API monitoring.  

Until the feature availability I would suggest the below workaround to monitor OAuth2 supported API's:

If you were able to generate a persistent authtoken and configure it under  Customer Headers feature in the monitor form, it can take up the auth token while accessing the API. 

We will keep you updated on the availability of the OAuth2 support in REST API monitoring here.
Reply 0

Re: Re: OAuth2 Support for API Monitors

We are really looking forward to this feature as well. :-)

Re: OAuth2 Support for API Monitors

Hi, any news on this topic?
i have same needs for several API

Re: Re: OAuth2 Support for API Monitors

Hello,

We had takenup this feature request. Where we will allow users to define the OAuth token at global level and utilize it for any number of monitors. This also will auto refresh itself before token expiry.

 

Will keep this post updated on the further progress in this feature.

 

Raghavan

Reply 1

Re: Re: Re: OAuth2 Support for API Monitors

Hi, do you guys have any date to implement this feature? Otherwise I will have to develop static token on my applications, but it's not a very safe solution.

Reply 0

Re: Re: Re: Re: OAuth2 Support for API Monitors

Hello,

This is currently under development.  Most probably it will release in 4-6 weeks.

We will update this thread once the feature is live.

Raghavan

Reply 0

Re: Re: Re: Re: Re: OAuth2 Support for API Monitors

Hi,

Any information on this please?

Reply 0

Re: Re: Re: Re: Re: Re: OAuth2 Support for API Monitors

Hello Fernando,

Right now, this feature is in a final stage of development and we have planned to release before the end of this month. 

Regards,
Rafee

Reply 1