As more organizations use APIs in their systems, they've become targets for the not-so-good-doers so API Security is something you need to take seriously. Most APIs today use the HTTP protocol so organizations should protect them as they would ordinary web properties.
Starting in v13,
APM is able to act as an OAuth
Client, OAuth Resource Server and OAuth
Authorization Server. In this example, we will show how to use BIG-IP APM to
act as an OAuth Resource Server protecting the API.
In our environment, we’ve published an API (api.f5se.com) and we’re trying to
get a list of departments in the HR database. The API is not natively protected
and we want APM to enable OAuth protection to this API.
First, let’s try an unauthenticated request.
You can see we get the 401 Unauthorized response which is coming from the
BIG-IP. In this instance we’re only sending 3 headers, Connection (close),
Content Length (0) and WWW Authenticate (Bearer), indicating to the client that
it wants Bearer Token authentication.
Here the Getpostman.com (Postman toolchain for API developers) is preconfigured
to get a new access token from the OAuth authorization server, which is a
We will request the OAuth token and will need to authenticate to the BIG-IP.
After that, we get an authorization request. In this case, BIG-IP is acting as
an Authorization server and is indicating to the resource owner (us) that there
is a HR API application that wants to use certain information (about us) that
the authorization server is going to provide.
We’ll click Authorize and now we have our auth token and is saved in the
Within the token properties we see that it expires in 300 seconds, it is a
Bearer token and the scope is api-email and we get a refresh token as well.
Now we can add this token to the header and try to make a request again. And
this time, we get a much better response.
We get a 200 OK, along with the headers of the application server. We’ll
click on the Body tab within Postman, we’ll see the XML that the API has
returned in response to the query for the list of departments that are
available. There were no cookies being returned by the server if you were
wondering about that tab. In the Headers tab we see the Authorization header
that was being sent and the content of the Bearer token.
A simple way to easily protect your APIs leveraging OAuth 2.0 Resource Server
capabilities in BIG-IP.
Special thanks to Michael
Koyfman for the basis of the content and check out his full demo here.