Creating an API for iFlow: A Step-by-Step Guide. Part 2

In one of my previous posts, I provided the steps required to create the API for iFlow.

At the end of that post, I mentioned an insecurity issue that needed addressing. In this post, I'll delve into fixing that issue.

Inputs

You've successfully created the API that triggers iFlow. To trigger this API, you only need its URL, without requiring the client to provide any additional security details. Now, we'll require the client to provide the OAuth2 token, which should have been generated within the custom API hosted on the same BTP tenant, along with the client credentials (client ID and client secret).

You can find step-by-step instructions for creating the API to generate the OAuth2 token within the BTP client by following the link below:

To summarize, we'll have one API for generating the OAuth2 token and another for triggering iFlow.

Step 1. Assign a policy for API

Add a new policy to your API that triggers iFlow. This policy's purpose will be to verify the OAuth2 token generated within the other API hosted on the same BTP tenant.

Below is the XML snippet for the policy:

Step 2. Additional checks

Ensure that you have assigned your APIs to the same Product.

See Important Concepts of API Management

As an additional step, ensure that the Product containing your APIs is assigned to the Application in the API Business Hub Enterprise.

Step 3. Testing

Using your preferred client software, create a new request with the API that triggers iFlow and provide the following details for authorization:

If you are using the Postman app, ensure that you have activated the OAuth2.0 type of authorization for your API (Step #1), provided the API URL that generates the OAuth2 token in your BTP tenant (Step #2), and utilized the client id and client secret generated for your application in the API Business Hub Enterprise.