Allow calls to REST APIs with OAuth 2.0

Users can interact with external REST API endpoints that support OAuth 2.0 client assertion using the client credentials grant type. To configure this, annotate your application endpoints that mix the REST Type. Then, update the configuration to include OAuth client credentials and a key pair.

Requirements

To configure your application to use OAuth 2.0 for REST API requests, complete the following requirements:

Have access to an OAuth 2.0 provider.
Have the AppAdmin role the complete the configuration at the application level.
Have custom Types that mix the REST Type as REST API endpoints for your OAuth 2.0 provider.
Have a client ID and client secret value from an OAuth 2.0 provider.
Have a private key from your OAuth 2.0 provider. See Generate a Cryptographic Key ID to learn how to generate one.

Configure your application to use OAuth 2.0 for REST API requests

Complete these steps to allow users to make requests to REST API endpoints that support OAuth 2.0 client assertion.

Add the @rest annotation with OAuth 2.0 scopes to custom REST Types for your provider.
Here is an example custom Type for Google Cloud Storage API that has the annotation:
Type
```
type GoogleCloudStorage mixes REST, Singleton {

/**
* GET https://storage.googleapis.com/storage/v1/b/<bucketId>
*/
@rest(uri='b', method='GET',  oAuth2Scope=['devstorage.read_only'])
getBucketMetadata: abstract function(@rest(partOfURI=true, uriPrefix='/') bucketId: !string): GoogleCloudStorage.Bucket.Metadata
}
```
The @rest annotation defines the OAuth 2.0 scope for the JWT that the C3 AI REST Engine generates.
Annotate your custom Types accordingly and replace devstorage.read_only with a scope and use an API request defined by your OAuth 2.0 provider.
Update the OAuth 2.0 provider instance configuration to include client credentials and a cryptographic key pair in the application C3 AI Console. Include the client ID value and private key value from the provider.
Here is an example configuration for the GoogleCloudStorage custom Type:
JavaScript
```
GoogleCloudStorage.setOAuth("https://storage.googleapis.com/storage/v1/b", 
  RestConfig.OAuth.make({
     clientCredentials: { clientId: <client_id> },
     keyPair: { id: <crypto_key_id> }, 
     tokenEndpoint: "https://oauth2.googleapis.com/token" 
     }))
```
This command retrieves the current OAuth 2.0 provider instance configuration and prepares to set a new configuration. Then, it creates an OAuthApplicationCredentials instance with the client credentials, and creates a key pair with the private key from the CryptoKey API.
Replace the following:
- GoogleCloudStorage with your custom Type
- https://storage.googleapis.com/storage/v1/b with your API endpoint
- <client_id> with the client ID value from your provider
- crypto_key_id with your private key ID. If a ClusterAdmin generated the private key using the CryptoPrivateKey Type, use <your_custom_type>.setupPrivateKey(CryptoPrivateKey.fromJwk(<jwk_string>)) to pass the private key.
- https://oauth2.googleapis.com/token with your token endpoint

After you annotate REST endpoints with OAuth 2.0 scopes and update the provider configuration, a user can make a REST API call to the OAuth 2.0 provider.

Copy link to this sectionRequirements

Copy link to this sectionConfigure your application to use OAuth 2.0 for REST API requests

Copy link to this sectionSee also

Requirements

Configure your application to use OAuth 2.0 for REST API requests

See also