Securing REST APIs in Gen with OAuth2
search cancel

Securing REST APIs in Gen with OAuth2


Article ID: 247940


Updated On:


Gen Gen - Run Time Distributed Gen - Workstation Toolset Gen - Host Encyclopedia


Many external REST APIs use OAuth2 for authentication. This article describes how Gen's Toolset and Runtimes are used to natively manage this authentication method for the Call REST statement.


Many modern applications use RESTful APIs to share data with remote systems. At times, this data can be sensitive, so the remote services secure the data with some form of authentication to prevent unauthorized access. This could be as simple as sending a predefined key or user name and password on the HTTP request, but these approaches are not as robust as using a token with an expiration time. The OAuth2 authentication scheme uses a multi-legged approach to make it harder to break into systems:

  • Both the client and the server provide part of the authentication process.
  • OAuth2 tokens have a limited lifespan, minimizing the window for malicious use if compromised.

To use OAuth2 authentication with Gen, you will need:

  • the client id
  • the client secret
  • the URL for the token endpoint
  • the scope information (sometimes)

Steps to configure OAuth2 authentication with Gen:

  1. Determine if the API you are using requires OAuth2 authentication. The API provider should tell you, or you can get that information from the OpenAPI specification
  2. If the API does require authentication, make sure that the API provider has given you valid credentials for the authentication server.
  3. Try out the authentication using a tool like Postman to make sure you can receive a token from the authenticator.
  4. Again, using Postman or a tool like it, test the REST method. Quite often when using REST, just ensuring you have the correct parameters and authentication can go a long way toward resolving issues down the line.
  5. Create the Call REST action block, remembering to map the token URL, client ID, and client secret to views in your action block. ( See Figure 1)
  6. Use the authentication configuration parameters if needed. You can set separate timeouts and certificate validations for the authentication service and the main REST service if desired.
  7. Generate and build your code. Your application will handle all of the communication to process your REST requests.


Additional Information

Call REST hub article: Gen 8.6 Consuming REST APIs (Call REST) feature