Error code getting handled at the tool level

[psidana1983]

Hi Team ,

In my company we use a third party tool to expose the APIs to customers. This tool manages the authentication and authorization of the customers which means in case of any unauthorized user the system will return its own error and the control will never reach till the code level where a developer can modify it as per CAMARA standards .

So considering that i don't have a control at the tool level, how can I create CAMARA Complaint API .

[eric-murray]

Moving to Discussions

[eric-murray]

API gateway products do exist that allow you to customise error responses.

[psidana1983]

i am able to customize the error response once the control reached to my code level but in this case , its getting handled at the tool level it self so unable to customize.

[eric-murray]

Then your problem is with the tool you are using. What is your proposal? That CAMARA modify the API error messages to match the tool that you happen to be using?

[psidana1983]

I agree that you can not capture all such cases , as there are so many tools in the market so i suggest to update the documentation saying these 2 specific error codes will be specific to provider .
Also, i see another challenge , as in these cases the fields getting returned are
{
httpStatus
httpCode
httpMessage
}

[eric-murray]

No - you will need to live with this non-compliance.

[psidana1983]

ok , thanks

[psidana1983]

To the best of your knowledge can you suggest me any of the API Gateway tool that supports to modify the error messages at tool level . I would use it for my tool comparison .

Meanwhile, just to update you that i am facing this issue specifically with my OAuth API , not the resource API. This OAuth API gets exposed by the tool itself and i have no control on the error responses getting sent by the tool . Ex: when you provide incorrect ClientID to fetch the token it generates error in below format .
{
httpStatus
httpCode
httpMessage
}

Whereas I am able to handle all the error messages at Resource API level . I can modify the messages as per CAMARA standards.

So in this case can i say i am still CAMARA compliant or it is mandatory for both OAuth API and Resource API to be CAMARA compliant.? Please suggest.

[psidana1983]

To the best of your knowledge can you suggest me any of the API Gateway tool that supports to modify the error messages at tool level . I would use it for my tool comparison .

Meanwhile, just to update you that i am facing this issue specifically with my OAuth API , not the resource API. This OAuth API gets exposed by the tool itself and i have no control on the error responses getting sent by the tool . Ex: when you provide incorrect ClientID to fetch the token it generates error in below format .
{
httpStatus
httpCode
httpMessage
}

Whereas I am able to handle all the error messages at Resource API level . I can modify the messages as per CAMARA standards.

So in this case can i say i am still CAMARA compliant or it is mandatory for both OAuth API and Resource API to be CAMARA compliant.? Please suggest.

[psidana1983]

Hi Eric
Any updates on my understanding above

Regards
Prashant Sidana

[eric-murray]

Hi @psidana1983

CAMARA currently does not define requirements for the OAuth token endpoint behaviour, though it is expected that this will be compliant with OAuth standards. The CAMARA OAS definitions include "hooks" for OAuth authentication, but it is anyway expected that API providers will modify these for their own implementation. API clients will not be able to use the CAMARA OAS definitions directly.

This may change given the work of the Identity and Consent sub-project, which is looking at how OAuth and OIDC can be used to enforce end user consent, so keep an eye on that sub-project.

[psidana1983]

Thanks Eric for the response .
So I can have my own error codes for OAUTH service and I can still be CAMARA complaint , provide my resource API is as CAMARA definition .

Regards
Prashant Sidana

[eric-murray]

My view is that you would be CAMARA compliant, but probably not OAuth compliant. But API compliance is still an open issue in CAMARA given that there are, as yet, no production releases of the APIs, and hence nothing to be compliant with. It is not expected that all API implementations will behave identically.