Table of Contents
- About these samples
- What you will use
- Accessing content
- Running samples
About these samples
This is a simple set of applications written in Node.js Express aimed at demonstrating API Management with end-user, OAuth2-based security with TIBCO Mashery. The client application sample impersonates the web/mobile application that would need to consume OAuth2 protected resources hosted on TIBCO Mashery, whereas the server application acts as an OAuth2 Authorization Server and leverages the Mashery OAuth2 API (also called the OAuth2 Accelerator).
Note that only the authorization code grant is illustrated, whereas TIBCO Mashery would support the three other grant types.
Finally, bear in mind that this is illustrative code and that as such there is probably a lot of room for improvement. Feel free to contribute!
What you will use
- TIBCO Mashery®
- Node.js Express
- Git and Github
OAuth2 is not extremely complicated but if you are new to the subject, it may feel a bit overwhelming and some time will be required for it to sink in. A lot of good material is available to get started:
- Aaron Parecki's OAuth2 Simplified
- Aaron Parecki's OAuth2 Servers, even though you will come to realise that TIBCO Mashery covers the vast majority of what is required.
- IETF OAuth 2.0 Authorization Framework, aka RF6749.
There is also a series of community articles written by TIBCO's excellent Andy Hampshire. They give a lot more details about how TIBCO Mashery supports OAuth2 (including a lot of the background required to understand how the server part of the code works) and how to configure your APIs in the Mashery Command Centre to accept OAuth2:
The samples rely on Node.js Express. As a result, you will need to set up a basic environment to run Node.js:
- npm, the node package manager,
Mozilla.org has a very comprehensive tutorial on how to set up Node.js and npm. Node.js being a broad subject, I would advise to use these samples only if/once you have acquired Node.js basics.
In order to use the samples, you will need:
- a running, OAuth2-enabled instance on which you have administration rights - note that some trial instances do not come with OAuth2 enabled,
- an API key to invoke TIBCO Mashery's own API. This can be procured from the developer.mashery.com website by registering. It will be send with a secret value that will also required,
- the Site ID of your Mashery instance, which can be procured from TIBCO Support.
Finally you will need to select one of your TIBCO Mashery API Definitions to be the OAuth2 target private resource and make good note of its Service ID. This is fairly easy to do as this ID is part of URL when you edit an API Definition in Mashery Control Centre (it will show as https://yourdomain.admin.mashery.com/control-center/api-definitions/Serv...). This API (and its endpoints) will obviously need to be configured in TIBCO Mashery Command Centre for use with OAuth2. Please refer to Andy Hampshire's tutorial for guidance.
All the content has been made available from a GitHub repository named mashery-oauth-demo, ensuring that you always access the latest version.
You will need to clone the repository locally on your computer. Github has documentation for that.
All the preliminary configuration as well as the instructions to run both samples are detailed on repository README.
Here are a few illustrations of the Client UI, which is very basic, but could easily be customised.
Here are a few illustrations of the Server UI, which is also very basic, but could easily be customised.