Apisero is now part of NTT DATA - Learn more.

Close this search box.

How To Connect With MasterCard APIs With OAuth1.0 For Authentication Via MuleSoft

Authors: Nisha Kshirsagar & Prathamesh Kulkarni

In this article, we will learn how to make calls to the third party APIs which use OAuth1.0 as authentication method using MuleSoft. The HTTP request connector does not support OAuth 1.0 hence we will be using the dataweave to dynamically compute the OAuth1.0  parameters. Here we are using Mastercard APIS for the demonstration.

  1. Anypoint studio.
  2. Trial account and necessary access for the Mastercard portal.
Let’s start:

1. Once you create the account in Mastercard (https://developer.mastercard.com/) then navigate under “Projects” and create a new Project.

2. Set up the project and provide the project name then you will be able to download the .p12 keystore file. The PKCS#12 keystore contains the private key used for signing requests to Mastercard APIs.

3. Save your keystore credentials.  

4. Navigate to the project section and open the project which is created above. Save the consumerKey for later use.

5. Go thru the API documentation and call one of the api ‘getDataSource’ from the postman as shown below:

Edit ‘Authorization’ section with-

  • Type = OAuth 1.0
  • Add authorization data to = Request header.
  • Signature Method = RSA-SHA256 
  • Consumer Key = Retrieved from step 4.
  • Private Key = The private key is encrypted in the keystore file retrieved from  step 3. Convert the P12 key into an RSA key using the following command  openssl pkcs12 -in ‘mykey.p12’ | openssl rsa -out myrsa.key.
  • Version = 1.0
  • Enable the option for ‘Include buddy hash’.
  • Enable the option for ‘Encode the Parameters in the Authorization’.
  • oauth_nonce and oauth_timestamp = The OAuth nonce is a random string, uniquely generated for each request and also unique within a given time window.
    The request timestamp is a positive integer representing the number of seconds since 1970. It must match the current time. In this example, 1558370962 is equivalent to 05/20/2019 @ 4:49pm (UTC).The timestamp and nonce pair must be unique.
  • Oauth_body_hash = It contains a base64-encoded SHA-256 digest of the body.
  • Oauth_signature = This is the base64-encoded RSA signature of the request, produced using your private signing key.

6. We invoked the Mastercard API from the postman and it was successful. Now we will make this call from the MuleSoft application. Create a sample application in MuleSoft as shown below

a) Set private Key – This transformation contains the private key retrieved from keystore file.

b) Oauth_signature – This transform message contains the dataweave code for generating the OAuth parameters.

%dw 2.0
output application/json
import dw::Crypto
import * from dw::core::Binaries
import toBinary from dw::core::Numbers
import withMaxSize from dw::core::Strings
import toBase64 from dw::core::Binaries
import * from dw::core::URL
var http_method = "POST"
var query_string = payload
fun generateString(n: Number) = 
do {var x = ('0123456789' ++ 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' ++ 'abcdefghijklmnopqrstuvwxyz')
  0 to (n-1) reduce (item, acc="11") -> acc ++ x[ceil(random()*sizeOf(x))]}
var oauth_nonce = generateString(11)
var oauth_timestamp = now() as Number
var oauth_signature_method = "RSA-SHA256"
var oauth_version = "1.0"
var consumer_secret = vars.privateKey
var oauth_body_hash = encodeURIComponent(toBase64(Crypto::hashWith(payload, "SHA-256")))
var parameter_string = encodeURIComponent('oauth_body_hash=') ++ oauth_body_hash ++ encodeURIComponent('&oauth_consumer_key=' ++ oauth_consumer_key ++
 '&oauth_nonce=' ++ oauth_nonce ++ '&oauth_signature_method=' ++ oauth_signature_method ++ '&oauth_timestamp=' ++ oauth_timestamp ++ '&oauth_version=' 
  ++ oauth_version) 
var signature_base_string = http_method ++ '&' ++ encodeURIComponent(base_url)  ++ '&' ++ parameter_string
var signing_key = consumer_secret
    http_method: http_method,
    base_url: base_url,
    query_string: query_string,
    oauth_consumer_key: oauth_consumer_key,
    oauth_signature_method: oauth_signature_method,
    oauth_timestamp: oauth_timestamp,
    oauth_nonce: oauth_nonce,
    oauth_version: oauth_version,
    consumer_secret: consumer_secret,
    signing_key: signing_key,
    parameter_string: parameter_string,
    signature_base_string: signature_base_string,
    oauth_body_hash: oauth_body_hash,
    signature: toHex(Crypto::hashWith(signature_base_string as Binary, "SHA-256"))

c) Generate Signature: Here the Signature base string needs to be Signed with the RSH-SHA256 algorithm. To perform this action we have used ‘Dataweave JWT Library’ (https://www.mulesoft.com/exchange/68ef9520-24e9-4cf2-b2f5-620025690913/data-weave-jwt-library/minor/1.0/pages/RSA/#alg-index

d) Authorization header = Here the Authorizationheader is prepared by concatenating all the fields mentioned above.

e) Convert header to string = Here the authorization header is converted in string format.

f) Request Mastercard api = Here the http request is made to Mastercard api by passing the authorization header, the payload and the content type.

7. Deploy the code and test.

******** Happy Learning ********

We use cookies on this site to enhance your user experience. For a complete overview of how we use cookies, please see our privacy policy.