Versions Compared

Version Old Version 9 New Version 10
Changes made by

Karol Januszewski (Unlicensed)

Karol Januszewski (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Excerpt

Overview


This page describes a fast example of security integration in a 3rd-party service.
The example is based on the current state of the regression environment.


Nutrition OAuth 2.0 Provider is authorization provider for Nutrition Mulesoft APIs. It is dedicated for Machine To Machine (M2M) integrations.

Required precondition:

  • Mulesoft applications created in Reckitt Anypoint Exchange with client_id and client_secret :
    • one for non-prod environment
    • second for production

To achieve this precondition, either way is the proper way 'on request' / 'self service':

On request:

If you don't have access to Reckitt Exchange, please submit your request here: → TODO proces

Self service:

If you already have access to Reckitt Exchange please follow these steps:

Expand

Request for access to the Nutrition OAuth 2.0 Provider → Exchange Link :

  • CDP-STAGE: with your non-prod application
  • CDP-PROD: with your production app

The request will be reviewed and access granted within 2 business days.

Application name should:

  • describe the API Consuming System
  • indicate NON-PROD / PROD environment of the API Consuming System as a suffix

Examples:

  • 'SFMC Pop-up sync for ASEAN Profiles PROD' :  (tick) - does describe the system and the environment
  • 'POC Salesforce Mulesoft Data Integration' :  (error) - does not describe the system, does not indicate the environment



Proper authentication:


The steps are:

  1. Create Authorization Token
  2. Consume API with the Token

Create Authorization Token

To do that need to send a proper request according to below specification:

Method: POST

Endpoints

  • Stage: https://api.cdp-rb.com/stage/v1/oauth/token
  • Production: https://api.cdp-rb.com/v1/oauth/token

Payload (type: application/json):

  • client_id - String, mandatory
  • client_secret - String, mandatory
  • grant_type - String, mandatory, enums: [CLIENT_CREDENTIALS]

  example request:


Code Block
languagejs
titlerequest payload
{
    "client_id": "459c3f28a4154781bc3bu7ec464ape9c",
    "client_secret": "1FbDA0fF59cA4dD9B5183E28de594Bc1",
    "grant_type": "CLIENT_CREDENTIALS"
}


example response payloads:



Code Block
languagejs
titlesuccessful response: 200
{
    "access_token": "dfstzdakvbiRzhSZdw7HKwe0QkbiTFQoaJiP0yx3HWAxbq3mX_zpsW-EOj0_CZHImnkgIFhIF8kOm5HjYqs96Q",
    "token_type": "Bearer",
    "expires_in": 1800
}


Code Block
titlebad request: 400
{
    "message": "Bad request: /grant_type LOREM IPSUM is not a valid enum value"
}


Code Block
titleincorrect client_id client_secret combination: 401
{
    "error": "Invalid client id or secret"
}


Code Block
titlequota exceeded: 429
{
    "error": "Quota has been exceeded"
}

Create Authorization Token Rate Limiting

This endpoint to create Authorization Tokens has an SLA Based Rate Limiting as follows:

  • the rate limiting is applied equally for all Clients
  • maxium 5 HTTP calls within 30 seconds for a Client

Authorization Token Time To Live (TTL)

  • the maximum TTL for a token is 1800 seconds  ( 30 minutes )
  • no token refreshing is available


Authorization Token Caching

For M2M integrations, token cachin

REMARKS:

  1. The vx-web-test client_id and the set of roles "SAVE_DATA READ_DATA MANAGE_BUCKET MANAGE_SCHEMA DATA_EXPORT READ_SCHEMA" is predefined. Usually for each 3rd-party tool our security managers create separate client_id with necessary set of roles.
  2. The "state" request parameter should be unique for each attempt to issue access code.
  3. The header value passed in the "authorization" is constant per each environment (the one we use in this example is specific to regression environment).
  4. Some programs like "Postman" try follow redirects after they receive 302 HTTP status in response. In this case please turn off this default setting in the Postman global settings.
    "curl" - a command line tool which does not follow redirects by default, but please use "-v" key in order to see the detailed HTTP response in the terminal window.
  5. The access codes have relatively short lifetime. For example on regression environment it is only 15 seconds available in order to get the access token.
  6. You need to disallow your request for redirecting 

Get access token

To do that need to send a proper request according to below specification:

Method: POST

Endpointhttp://digital-security-authservice-regression.frankfurt.rbdigitalcloud.com/oauth/token

URI params:

  • In the URI should be the following set of request parameters:
  • grant_type=authorization_code&redirect_uri=http%3A%2F%2Fwww.rb.com%2F&client_id=vx-web-test&client_secret=Abc1$345&code=d1c82ed4-da4a-4675-81e7-5f9b0e295568&state=vbu3artsdek1i51xcv5058935 

where:

green is 3-party client_Id

blue is code from the first request

orange is the state - the same as in the first request

red is the client_secret - generated as a required precondition


Headers:

  • cache-control: no-cache
  • content-type: application/x-www-form-urlencoded
  • authorization: Basic dngtd2ViLXRlc3Q6QWJjMSQzNDU=


In the success scenario the request returns 200 status with the following JSON structure in the response body:

No Format
{"access_token":"cacd5cda-08f8-47fa-8431-82d7a82184a6","token_type":"bearer","refresh_token":"92c437ba-e6ac-4ae2-84ce-ec7338b506b6","expires_in":60}


After that need to extract "access_token" from the above JSON in order to get the access token:

cacd5cda-08f8-47fa-8431-82d7a82184a6

REMARKS:

  1. The access code that was retrieved in the previous step is passed in the "code" request parameter on this step;
  2. The value that is passed in the "authorization" header is base64 encoded string for "vx-web-test:Abc1$345";
  3. The vx-web-test is the client_id and the Abc1$345 is the password for vx-web-test client_id.
  4. You need to disallow your request for redirecting 


...