6 Administration

6.1 Deployment

The deployment of ApiFest Mapping Server and ApiFest OAuth 2.0 Server for development and simple test goals is described in the corresponding chapters - 3.1 and 4.1. The deployment for stress tests environment and production environment requires increasing the file descriotors of the OS so the servers can handle more connections. It's recommended to start several nodes of ApiFest Mapping Server and ApiFest OAuth 2.0 Server and set a load balancer in front of them.

6.2 ApiFest Mapping Server administration services

This chapter covers all available administration services exposed by the ApiFest Mapping Server.
The following table summarizes all available administration services. Follow the link in order to get more details about a service.

service description link
GET/apifest-mappings Returns all the mappings loaded in the ApiFest Mapping Server. 6.2.1
GET/apifest-global-errors Returns all custom global errors loaded in the ApiFest Mapping Server. 6.2.2
GET/apifest-reload Reloads online mappings and global-errors configurations. 6.2.3

6.2.1 Check current loaded mappings

You can check the current mappings loaded in the ApiFest Mapping Server by the following request:
GET /apifest-mappings
The response is in JSON format.

Here is an example response:
{
  "v1.0": {
    "mappings": {
      "com.apifest.MappingPattern@e1a60a8b": {
        "backendPort": 5000,
        "backendHost": "127.0.0.1",
        "varExpression": "[A-Z]{3}",
        "varName": "code",
        "authType": "client-app",
        "scope": "basic",
        "method": "GET",
        "internalEndpoint": "/countries/{code}",
        "externalEndpoint": "/v1.0/countries/{code}"
      },
      "com.apifest.MappingPattern@56eff2b4": {
        "backendPort": 5000,
        "backendHost": "127.0.0.1",
        "authType": "user",
        "scope": "basic",
        "method": "GET",
        "internalEndpoint": "/users/{userId}",
        "externalEndpoint": "/v1.0/me",
        "action": {
          "actionClassName": "com.apifest.example.ReplaceCustomerIdAction"
        }
      },
      "com.apifest.MappingPattern@9c7e3abe": {
        "backendPort": 5000,
        "backendHost": "127.0.0.1",
        "authType": "client-app",
        "scope": "basic",
        "method": "GET",
        "internalEndpoint": "/countries",
        "externalEndpoint": "/v1.0/countries"
      }
    },
    "actions": {
      "com.apifest.example.ReplaceCustomerIdAction":
      "com.apifest.example.ReplaceCustomerIdAction"
    },
    "filters": {
    },
    "errors": {
    }
  }

6.2.2 Check current loaded custom global errors

You can check the current custom global errors loaded in the ApiFest Mapping Server by the following request:
GET /apifest-global-errors
The response is in JSON format.

Here is an example response:
{
  "404": "{\"error\":\"resource not found\"}",
  "500": "{\"error\":\"ops ...something wrong happened\"}"
}

6.2.3 Online configuration reload

In order to reload ApiFest mappings and custom global errors configuration online, you can use the following request:
GET /apifest-reload
The response is in JSON format.

If the configuration is reloaded successfully, the response body is empty. Otherwise, a response in the following format is returned:
Status Code: 400 Bad Request
Content-Type: application/json
{"error":"[error message]"}

6.3 ApiFest Oauth 2.0 Server administration services

This chapter covers all available administration services exposed by the ApiFest OAuth 2.0 Server.
attention sign All administration services should be secured and accessible only internally (for instance, by your Sys Admins or the personnel that should administrate ApiFest client applications).
The following table summarizes all available administration services. Follow the link in order to get more details about a service.
service description link
POST /oauth20/scopes Registers a new scope. 6.3.1.1
GET /oauth20/scopes Lists all registered scopes. 6.3.1.2
GET/oauth20/scopes/[scope] Returns details about a specific scope. 6.3.1.3
PUT /oauth20/scopes/[scope] Updates a scope. 6.3.1.4
DELETE /oauth20/scopes/[scope] Deletes a scope. 6.3.1.5
POST/oauth20/applications Registers a new client application. 6.3.2.1
GET/oauth20/applications Lists all registered client applications. 6.3.2.3
GET/oauth20/applications/[client_id] Returns details about a specific client application. ??
PUT/oauth20/applications/[client_id] Updates a client application. 6.3.2.5
POST/oauth20/tokens/revoke Revokes an access token. 6.3.3
GET/oauth20/tokens/validate Validates an access token. 6.3.4

6.3.1 Scope services

This chapter describes all available services in the ApiFest OAuth 2.0 Server related to scopes.

6.3.1.1 Register a scope

In order to register a scope, use the following service:
POST /oauth20/scopes
Content-Type: application/json
{"scope":[scope name],"description":[description],"cc_expires_in":[client credentials tokens expiration time in seconds], "pass_expires_in":[password tokens expiration time in seconds], "refresh_expires_in":[refresh tokens expiration time in second]}

Below is an example request/response.
Request:
POST http://127.0.0.1:8080/oauth20/scopes
Content-Type: application/json
{
  "scope": "basic",
  "description": "basic scope",
  "cc_expires_in": 1800,
  "pass_expires_in": 900,
  "refresh_expires_in": 3600
}

Response:
Status Code: 200 OK
Content-Type: application/json
{"status":"scope successfully stored"}

You can see more details in chapter 4.3.

6.3.1.2 List all registered scopes

In order to list all registered scopes, use the following service:
GET /oauth20/scopes

Below is an example request/response.
Request:
GET http://127.0.0.1:8080/oauth20/scopes

Response:
Status Code: 200 OK
Content-Type: application/json
[
  {
    "description": "basic scope",
    "cc_expires_in": 1800,
    "pass_expires_in": 900,
    "scope": "basic",
    "refresh_expires_in": 3600
  },
  {
    "description": "extended scope",
    "cc_expires_in": 300,
    "pass_expires_in": 120,
    "scope": "extended",
    "refresh_expires_in": 600
  }
]

6.3.1.3 Get details about a scope

In order to get the details about a scope, you can use the following service:
GET /oauth20/scopes/[scope]
where scope is the name of the scope.

Below is an example request/response.
Request:
GET http://127.0.0.1:8080/oauth20/scopes/extended

Response:
{
  "description": "extended scope",
  "cc_expires_in": 300,
  "pass_expires_in": 120,
  "scope": "extended",
  "refresh_expires_in": 600
}

6.3.1.4 Update a scope

In order to update a scope, you can use the following service:
PUT /oauth20/scopes/[scope]
Content-Type: application/json
{"description":[description],"cc_expires_in":[client credentials tokens expiration time in seconds], "pass_expires_in":[password tokens expiration time in seconds], "refresh_expires_in":[refresh tokens expiration time in second]}

Below is an example request/response.
Request:
PUT http://127.0.0.1:8080/oauth20/scopes
Content-Type: application/json
{"description":"new basic scope description"}

Response:
Status Code: 200 OK
Content-Type: application/json
{"status":"scope successfully updated"}

6.3.1.5 Delete a scope

In order to delete a scope, you can use the following service:
DELETE /oauth20/scopes/[scope]
where scope is the name of the registered scope.

Below is an example request/response.
Request:
DELETE http://127.0.0.1:8080/oauth20/scopes/extended

Response:
Status Code: 200 OK
Content-Type: application/json
{"status":"scope successfully deleted"}

attention sign You cannot delete a scope if it is assigned to an active client application.

If you try to delete a scope that is assigned to a client application, then the following response will be returned:
Status Code: 200 OK -> should be Bad Request??
Content-Type: application/json
{"status":"scope cannot be deleted, there are client apps registered with it"}

6.3.2 Client application services

This chapter describes all available services in the ApiFest OAuth 2.0 Server related to client applications.

6.3.2.1 Register a client application

In order to register a client application, you can use the following service:
POST /oauth20/applications
Content-Type: application/json
{"name":[client application name],"description":[description],"scope":[scope], "redirect_uri":[redirect uri], "details":[refresh tokens expiration time in second],"client_id":[client id],"client_secret":[client secret]}

Below is an example request/response.
Request:
POST http://127.0.0.1:8080/oauth20/applications Content-Type: application/json {
  "name": "test_app",
  "description": "test client app",
  "scope": "test_scope",
  "redirect_uri": "http://127.0.0.1:8080"
}

Response:
Status Code: 200 OK
Content-Type: application/json
{
  "client_id": "b9db6d84dc98a895035e68f972e30503d3c724c8",
  "client_secret": "105ef93e7bb386da3a23c32e8563434fad005fd0a6a88315fcdf946aa761c838"
}

attention sign Note, a predefined client_id and client_secret could be passed to the service so the registered client application will use them. That could be used for migration purposes. The pattern for client_id is [a-f[0-9]]+ as the client_id is a hash value, it can contain only letters from a to f and digits.

Below is an example request/response.
Request:
POST http://127.0.0.1:8080/oauth20/applications
Content-Type: application/json
{
  "name": "test_app",
  "description": "test client app",
  "scope": "test_scope",
  "redirect_uri": "http://127.0.0.1:8080",
  "client_id": "b9db6d84dc98a895035e68f972e30503d3c724c8",
  "client_secret": "105ef93e7bb386da3a23c32e8563434fad005fd0a6a88315fcdf946aa761c838"
}

Response:
Status Code: 200 OK
Content-Type: application/json
{
  "client_id": "b9db6d84dc98a895035e68f972e30503d3c724c8",
  "client_secret": "105ef93e7bb386da3a23c32e8563434fad005fd0a6a88315fcdf946aa761c838"
}

6.3.2.2 Activate/Deactivate a client application

By default, when a client application is registered its status is inactive and it couldn't be used.
In order to activate a client application, use the following request:
PUT /oauth20/applications/[client_id]
Content-Type:application/json
{"status":[status]}
where client_id is the client id of the client application and status is the new status of the client application - 0 - means the client application is deactivated, 1 - the client application is activated.

Below is an example request/response.
Request:
PUT http://127.0.0.1:8080/oauth20/applications/b9db6d84dc98a895035e68f972e30503d3c724c8
Content-Type: application/json
{"status":1}
where status 1 is active, 0 - inactive.

Response:
Status Code: 200 OK
Content-Type: application/json
{"status":"client application updated"}

6.3.2.3 List all registered client applications

You can list all registered client applications by using the following service:
GET /oauth20/applications
Below is an example request/response.
Request:
GET http://127.0.0.1:8080/oauth20/applications

Response:
Status Code: 200 OK
[
  {
    "name": "test2_app",
    "description": "test 2 client app",
    "client_id": "e523d42ce29f66235c6356f546e7f1262183626e",
    "client_secret": "ec859edc5430e601ffb98892413a2b51aca32f13eb2c4353717d7849594acac7",
    "scope": "test_scope",
    "registered": "Sun May 10 16:10:03 EEST 2015",
    "redirect_uri": "http://127.0.0.1:8080",
    "status": 0
  },
  {
    "name": "test_app",
    "description": "test client app",
    "client_id": "b9db6d84dc98a895035e68f972e30503d3c724c8",
    "client_secret": "105ef93e7bb386da3a23c32e8563434fad005fd0a6a88315fcdf946aa761c838",
    "scope": "test_scope",
    "registered": "Thu May 07 15:01:40 EEST 2015",
    "redirect_uri": "http://127.0.0.1:8080",
    "status": 1
  }
]

6.3.2.4 List all active/inactive client applications

You can list all client applications filtered by their status (active or inactive) using a query parameter to the service for listing client applications.
GET /oauth20/applications?status=[status]
where status is the status of the client application - 0 - inactive, 1 - active.

Here is an example request/response that lists all active client applications.
Request:
GET http://127.0.0.1:8080/oauth20/applications?status=1

Response:
Content-Type: application/json
[
  {
    "name": "test_app",
    "description": " test client app",
    "client_id": "b9db6d84dc98a895035e68f972e30503d3c724c8",
    "client_secret": "105ef93e7bb386da3a23c32e8563434fad005fd0a6a88315fcdf946aa761c838",
    "scope": "test_scope",
    "registered": "Thu May 07 15:01:40 EEST 2015",
    "redirect_uri": "http://10.46.16.93:8080",
    "status": 1
  }
]

Here is an example request/response that lists all inactive client applications.
Request:
GET http://127.0.0.1:8080/oauth20/applications?status=0

Response:
Status Code: 200 OK
Content-Type: application/json
[
  {
    "name": "test2_app",
    "description": "test 2 client app",
    "client_id": "e523d42ce29f66235c6356f546e7f1262183626e",
    "client_secret": "ec859edc5430e601ffb98892413a2b51aca32f13eb2c4353717d7849594acac7",
    "scope": "test_scope",
    "registered": "Sun May 10 16:10:03 EEST 2015",
    "redirect_uri": "http://127.0.0.1:8080",
    "status": 0
  }
]

6.3.2.5 Update a client application

A registered client application details could be updated using the following request:
PUT /oauth20/applications/[client_ id]
where client_id is the client id of the client application.

Here is an example request/response.
Request:
PUT http://127.0.0.1:8080/oauth20/applications/b9db6d84dc98a895035e68f972e30503d3c724c8
Content-Type: application/json
{
  "description": "updated descr",
  "scope": "test_scope",
  "application_details": {
    "division": "IT",
    "organization": "MM"
  }
}

Response:
Status Code: 200 OK
Content-Type: application/json
{"status":"client application updated"}

You can update only the description, the scope, the application details and the status of a client application.

6.3.3 Access token revocation

An access token could be revoked using the following service:
POST /oauth20/tokens/revoke
Content-Type: application/json
{"access_token":[access_token],"client_id":[client_id]}
where access_token is the access token to be revoked, client_id is the client id of the client application the access token is issued for.

Here is an example request/response.
Request:
POST http://127.0.0.1:8080/oauth20/tokens/revoke
Content-Type: application/json
{
  "access_token": "f48db3829c71b9dc4957e3bb7b804bd0d44db10a2b9e30346796c2d9e9f44722",
  "client_id": "b9db6d84dc98a895035e68f972e30503d3c724c8"
}

Response:
Status Code: 200 OK
Content-Type: application/json
{"revoked":"true"}

6.3.4 Access token validation

One can check whether an access token is valid or not, using the following service:
GET /oauth20/tokens/validate?token=[access_token]

Here is an example request/response.
Request:
GET http://127.0.0.1:8080/oauth20/tokens/validate?token=f48db3829c71b9dc4957e3bb7b804bd0d44db10a2b9e30346796c2d9e9f44722

Response:
Status Code: 200 OK
Content-Type: application/json
{
  "token": "f48db3829c71b9dc4957e3bb7b804bd0d44db10a2b9e30346796c2d9e9f44722",
  "refreshToken": "fe45a6ea3d7a0f2cacc864523ab586551739bcbe1a167fe1d37edc6b004ad452",
  "expiresIn": "120",
  "type": "Bearer",
  "scope": "test_scope",
  "valid": true,
  "clientId": "b9db6d84dc98a895035e68f972e30503d3c724c8",
  "codeId": "",
  "userId": "12345",
  "created": 1432542201299,
  "refreshExpiresIn": "300"
}

Here is an example request/response when the access token is invalid (expired or never issued).
Request:
GET http://127.0.0.1:8080/oauth20/tokens/validate?token=f48db3829c71b9dc4957e3bb7b804bd0d44db10a2b9e30346796c2d9e9f44722

Response:
Status Code: 401 OK
Content-Type: application/json
{"error":"invalid access token"}