Configuring REST API connector – OAuth 1.0a(3 legged)

Studio provides you with several Connectors like Databases like MySQL, Microsoft SQL, etc., and Third-party connectors like Slack, Trello, Stripe, etc. You can connect the different APIs using their respective authentication methods. There are different methods of API authentication, using the API Key, using basic Auth which is using the username and password, using the OAuth which is a standard for accessing user permissions without a password, the AWS authentication method, multistep authentication method, and OAuth 1.0a.

OAuth 1.0a (3 legged) is an authentication method that comprises four main components: user, API, application, and login service. It is a traditional pattern OAuth with resource owner interaction. In this method in every step digital signature is created and passed on to the next step.

Configuring the third-party API connector

To add third-party connectors, under Studio > Connectors, click (+) Connector.

Studio has different options including the use of the REST API that allows you to easily connect to the Third-Party API and database and access important systems. It has a feature of OAuth 1.0a (3 legged).

Configure API category

Use the OAuth 1.0a authentication type if your API uses digitally signed parameters. When setting up a Service, your user’s browser will be redirected to your site where you can authenticate them. Your OAuth implementation will then return an access token that your DronaHQ integration will use to authorize requests to your API.

When configuring the APIs, you need to provide the Authentication details for the respective authentication method. Let us see how to configure an API using the OAuth 1.0a (3 legged) method.

Once you select the REST API, enter the Connector name which should ideally be self-explanatory.

In the Authentication, section select OAuth 1.0a (3 legged).

Configure account-specific fields

  • Copy the OAuth redirect URL: You need to copy the URL link provided in this step. It would be used in the respective developer portal of the service’s client application that will receive OAuth 2.0 credentials. Once you create the client app in the service you need to copy this URL to the section usually marked as OAuth 2.0 redirect URI of the app. You can also add additional permissions if required for the application. You can also add the redirect URL in the allowed origin section as well.

  • Enter the application credentials: You need to configure the application credentials. Simply copy the Client Id and Client Secret from the app’s API or from the developer’s setting and paste them in the connector configuration.

  • Signature Method: There is a need to sign all tokens and protected resources by the customer and service providers to prevent unauthorized parties to use the consumer key or token when making the token request. The signature process encodes the consumer secret and token secret into a verifiable value which is included in the request.
    There are three different signature methods provided in the studio:

    • HMAC-SHA1: uses the signature algorithm where the Signature Base String is the text and the key is the concatenated values of the Consumer Secret and Token Secret, separated by an ‘&’ character (ASCII code 38) even if empty.
    • HMAC-SHA256: uses the signature algorithm that is created from the SHA-256 hash function.
    • Plain: method does not provide any security protection and should only be used over a secure channel such as HTTPS.
  • Add Authorization data to: The Authorization parameters are sent from the user to the service provider in different ways and you can where add the auth data, in studio

  • Request Token request: This is the first step in performing OAuth 1.0z (3 legged) authentication, to request a request token. Add the Request Token URL from your API. No additional settings are typically needed optionally with comma-separated scopes. DronaHQ includes the default fields, though click Advanced to customize if needed.

  • Authorization Request: Specifies where the users are sent to authenticate with your API. If you go to the Development portal, you will see the authorization user URL. Copy it from the portal and paste it to the Authorize URL. Usually, when you add the URL from your API no further settings are required. In this request we pass on the request token we fetched from the previous step. We have to save the OAuth token here in the query string parameter to pass it on with the API request.

  • Access Token Request: It specifies the endpoint URL where Studio sends the approval code. It is sent through different method types and receives the access_token in the response. After authorizing application access, users are redirected to the application, passing oauth_verifier and exchanging the request token for the access token.

  • Configure test API for your connector: Add a simple API endpoint to test user credentials. DronaHQ includes data from your input form in the URL Params by default; click Advanced to customize the API call if your API expects them in the header instead. In response to the previous steps, we get another access token. We need to be passing query string parameters to fetch the required data.

Once the details are filled in, click Test Connection. It will pop up a consent dialog window.

Once the authentication is successful it will show the message and now you can save your connection.

Add API

You can now add APIs based on the Connector configuration. Under Studio > Connectors you can see your connector is added. To add your new API as per the API endpoint, click Add API.

Now Add the Connector API name and the API endpoint with the required parameters and test your API.

Managing Environment

You can select the Manage Environment option from the edit button of the configured connector. Here you can manage different environments such as production, staging, development, test environment, and others, of a single account by adding different credentials and other details corresponding to different environments.

Select either the environments which you haven’t configured yet, by clicking on configure or click on the configured environments to make further changes and edits.
You will see that the environments which are yet to be configured already have auto-generated details including the consumer key and consumer secret. You can make changes from a single place and these changes will reflect on your respective environments.

Once done, click on Save.