Outbound Oauth - Alternatives


Badge +6

We would like to call some REST API secured by the Oauth client credentials flow. So the API provider needs a pre-designed client id/secret in order to generate the Bearer token needed for all API calls K2 makes. 

 

Unfortunately, after consulting with professional services, turns out that K2 Five does not support this because the Oauth resource type uses a GET request with client_id and client_secret to the /token endpoint and this is not allowed as per the relevant standards for security reasons it has to be a POST. So K2 is unable to retrieve the bearer token.

 

As per this KB, the alternatives are

  • Static - The API provider does not support this
  • Impersonate  and Service account - The API provider does not support Windows authentication so this is not feasible. 
  • SSO - I am not sure I understand how this works

 

Any ideas? 

 

Thanks


2 replies

If you are using K2 Five, consider writing a custom service broker that would implement a POST in code to return the token which could then be passed in a composite SmartObject to the next REST call method. Similar in K2 Cloud, but with a JSSP broker.
Badge +6
David - Understood but then that begs the question - Why not simply implement all the necessary REST API integration, including authentication, in custom code and surface that as a endpoint assembly service type?

Can you point me to some examples of writing a custom service broker to do this POST to get a Oauth token?

Thanks

Reply