Enable Creating Credentials on the Developer Portal

Follow the steps in this guide to allow users to create credentials as a self-service workflow on the Developer Portal.

Overview

API Connectivity manager supports public API workflows. Public APIs are open for anyone to consume by requesting resource credentials. Resource credentials can be managed on the Developer Portal for public APIs secured with APIKey or Basic Authentication. Consumers have to log in to the Developer Portal to create credentials. Once created, credentials can be used to access APIs. Users can also use the credentials to test APIs on the Developer Portal with the Try It Out feature.

Before You Begin

To complete the steps in this guide, you need to the following:

  • API Connectivity Manager is installed, licensed, and running.
  • You have one or more environments with API Gateway or Dev Portal clusters.

How to Access the User Interface

This guide contains instructions for completing tasks by using the NGINX Management Suite API Connectivity Manager user interface (UI).

To access the UI, navigate to the FQDN for your NGINX Management Suite host and log in. Then, select “API Connectivity Manager” on the Launchpad menu.


Self-Managed Credentials Workflow

On the Developer Portal, logged-in users can create credentials for public APIs. Since this workflow is available only for logged-in users, the OIDC policy must be applied on the Developer Portal to enable SSO with an IDP of choice. In addition, the API proxies should be secured with either Basic Authentication or APIKey authentication policy.

The process for setting up end-to-end credentials is as follows:

  • Enable the Credentials endpoint on the API Connectivity Manager host
  • Enable SSO on the Developer Portal with an OIDC policy
  • Publish the API Proxy and secure it by adding an APIKey or Basic Authentication policy

Afterward, the API consumer can create credentials on the Developer Portal by performing the following:

  • API consumer logs in to developer portal, creates org, app, and credentials for the API.
  • Test the API with the Try It Out option and the newly created credentials.

Enable Create Credentials Endpoint

For security reasons, the Credentials endpoint is disabled by default. To use the Developer Portal credentials workflow, you must enable the Credentials endpoint on the API Connectivity Manager (ACM) host.

Important:
We recommend using mTLS to secure communication between ACM and the Developer Portal.

To enable the Credentials endpoint on the ACM host, take the following steps:

  1. Open an SSH connection into the ACM host and log in.

  2. Enable the Credentials endpoint:

    Open /etc/nms/nginx/locations/nms-acm.conf for editing and uncomment the location block.

    # Deployment of resource credentials from the devportal
    # Uncomment this block when using devportal. Authentication is disabled
    # for this location. This location block will mutually
    # verify the client trying to access the credentials API.
    location = /api/v1/devportal/credentials {
            # OIDC authentication (uncomment to disable)
            #auth_jwt off;
            auth_basic off;
            error_page 401 /401_certs.json;
            # if ($ssl_client_verify != SUCCESS) {
            #   return 401;
            # }
            proxy_pass http://apim-service/api/v1/devportal/credentials;
    }
    
    Note:

    If you’ve secured the communication between ACM and the Developer Portal using mTLS, you can uncomment these lines as well:

      if ($ssl_client_verify != SUCCESS) {
        return 401;
      }
    
  3. Save the changes.

  4. Reload NGINX on the ACM host:

    sudo nginx -s reload
    

Enable SSO on the Developer Portal

  1. Follow the instructions to enable single sign-on (SSO) for the Developer Portal with an OIDC policy.

Publish and Secure the API Proxy

A link to Edit Advanced Configurations is displayed upon publishing the API Proxy. If you want to add policies, this is where to do that.

To add an APIKey Authentication policy:

  1. Select Policies in the advanced section of the menu.
  2. Select Add Policy for the APIKey Authentication policy, then complete the required information in the form.
  3. (Optional) To quickly test the setup, you can create a test credential. Add a credential by selecting Add APIKey and specifying Client ID and APIKey.
  4. Select Add Policy.
  5. Select Save and Publish.

Add a CORS Policy

Depending on the domain, you might need to add a CORS policy to the API proxy in order to use the Try It Out feature on the Developer Portal.

To add a CORS policy:

  1. Select the Policies menu item in the advanced section of the menu.
  2. Select Add Policy for the CORS policy. then complete the required information in the form.
  3. Add the header used in the APIKey policy above to the OPTIONS request.
  4. Select Add Policy.
  5. Select Save and Publish.

Create Credentials

Log in to the Developer Portal as an API Consumer. Use the Create Credentials option to create credentials for the API.

Important:
To avoid misuse, the API Consumer may create only one APIKey per API.

Try It Out on the Developer Portal

Once the credentials have been created and are available, you can use the Try It Out feature on the Developer Portal to test the API using the newly created credentials.