2 minute read

Using REST API with API Connect

In this topic we will show how to create the necessary credentials to call REST API against a provider organisation.

To call REST API against API Connect you need to have

  • client id
  • client secret
  • access token

Reference link: APIC 2018 REST API Reference link APIC v10 REST API Reference link

in this post we will use the apicmgmt variable to point to the APIC manager host.

Get client creds

In order to call APIC REST API you need to obtain credentials (clientId/secret) for the application that will performs the call requests.

To register an application, you need to login as admin on the manager with admin scope using CLI. It should also be possible to register

You might choose to create a specific user to access the admin scope using the cli.

  • In members -> invite a member with role administrator
  • Use the activation link to signup and choose the manager user registry

Login with the cli

Get the user registry that you can use (used to register the admin cli user)

./apiccli identity-providers:list --scope admin -s $apiccloud
default-idp-1
common-services
  • apiccloud is the api cloud manager endpoint
  • default UR has been used here: default-idp-1.

Login to the admin organization

./apiccli login --server $apiccloud --username admincli --realm admin/default-idp-1

Register an application

The registration is made by using a client configuration file in json format:

{
  "name": "<yourAppName>",
  "client_id": "<yourClientId>",
  "client_secret": "<yourClientSecret>",
  "client_type": "toolkit"
}

cliend_id and client_secret can be choosen and corresponds to the value that we are looking for. As example we are using

  • name: aceclient
  • client_id: ace-client
  • client_pwd: ace-client-pwd
  • client_type: toolkit

Possible values for the client_type are portal, gateway, toolkit, consumer_toolkit, ui, consumer_ui, ibm_cloud, designer, juhu, atm

The client_type for REST call will be toolkit.

Register your client using the following cli:

./apic registrations:create -s $apiccloud appconfig.json

You can then list the different client application using:

./apic registrations:list -s $apiccloud

Get the access token

The access token depends on the resource that the application needs to access.

If the client application needs to made REST call against a provider organization to publish product for example, the access token for this specific provider organization needs to be requested.

The grant is made using OAuth2 password grant type.
A resource owner, the user of the organization, is giving access to the application to perform some operations.

Input required:

  • api manager end point: apicmgmt
  • client id (from above)
  • client secret (from above)
  • provider organization user that has administration role
  • UR realm where the provider organization user is defined

The UR realm can be listed using the command that we already used above with scope provider:

./apiccli identity-providers:list --scope provider -s $apicmgmt
default-idp-2
common-services
apicusrldap

The apicusrldap is a custom UR using a local LDAP. The user Oliver is defined in this UR.

curl -v -k -X POST -d '{"username": "<providerOrgUser>", "password": "<providerOrgUsrPwd>", "realm": "provider/<UR>", "client_id": "<yourAppClientId>", "client_secret": "<yourAppClientSecret>", "grant_type": "password"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://$apicmgmt/api/token

Example of call:

curl -v -k -X POST -d '{"username": "oliver", "password": "oliverpwd", "realm": "provider/apicusrldap", "client_id": "ace-client", "client_secret": "ace-client-pwd", "grant_type": "password"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://$apicmgmt/api/token

This request will provide an access token

REST call

You can now execute REST call against your organization.

Possible REST call are provided at the following link.

For example to list the drafts objects:

curl --request GET \
  --url 'https://'$apicmgmt'/api/orgs/REPLACE_ORG/drafts/draft-apis' \
  --header 'accept: application/json'
  -k
  --header 'Authorization: bearer <yourAccessToken>

Nothe that the organisation name can be found using cli

apic orgs:list -s $apicmgmt --my

Resources

Additional information can be found here: Consume the API Connect platform

Leave a comment