Mastering Consuming Liferay Headless APIs

Course Overview

Configuring Clarity's Public and Secure API Access

Liferay's service access policies control remote access to web services, ensuring only permitted methods are invoked. OAuth 2.0 provides an additional security layer, registering known to complete authorization. Proper configuration protects your environment by restricting access to approved entities, retrieving sensitive data securely, and ensuring seamless integration with strict access control when leveraging Liferay's headless APIs. Clarity's team would like to test publicizing endpoints with service access policies and implementing OAuth 2.0 security to protect document requests.

In these exercises, you'll configure a service access policy to enable securely fetching and displaying Clarity's blogs within dashboards. Additionally, you'll restrict access to secure documents by registering an OAuth 2.0 application.

Exercise: Retrieving Clarity's Blogs with Headless APIs

Here, you'll consume headless APIs to retrieve Clarity's existing blog posts and access the blogs API endpoint to verify its service signature (used to connect the component via the installed service class’s fully qualified name).

  1. Sign in as the Clarity Admin user.

    • Username: admin@clarityvisionsolutions.com
    • Password: learn

  2. Open the Site Menu (Site Menu), expand Configuration, and click Site Settings.

  3. Under the Platform section, click Site Configuration.

  4. From the Details tab, copy the Site ID for use in a later step.

    From the Details tab, copy the Site ID for use in a later step.

  5. Navigate to the API Explorer at http://localhost:8080/o/api.

  6. Within the default Headless Delivery REST application, search for the getSiteBlogPostingsPage BlogPosting endpoint.

    Search for the BlogPosting endpoint.

    This endpoint has a single required parameter: the siteId.

  7. Enter your Site ID value as the siteId parameter of the getSiteBlogPostingsPage endpoint.

    Enter your Site ID value in the endpoint's parameter.

  8. Click Execute.

    Click Execute and check the response.

    Several useful pieces of information are shown, including the

    • Curl command for executing this request from a terminal or third-party platform.
    • Request URL.
    • HTTP Response code.
    • Response body containing a list of blog postings from the Clarity Public Enterprise website.
    • Response headers.

  9. Search for "headline" within the response body to review the returned blog titles.
    Next, you'll test calling the request URL using the same method as Clarity's dashboards.

  10. Copy the Request URL of the endpoint for later steps.

    Copy the Request URL of the endpoint for later steps.

  11. Open a new browser window in Incognito mode and paste the Request URL.

  12. You will see the following error message indicating that access is denied:

    <Forbidden xmlns="">
<message>Access denied to com.liferay.headless.delivery.internal.resource.v1_0.BlogPostingResourceImpl#getSiteBlogPostingsPage</message>
</Forbidden>
    This error provides valuable information by displaying the BlogPosting service signature, which you will use to configure the service access policy. 
    com.liferay.headless.delivery.internal.resource.v1_0.BlogPostingResourceImpl

Great! You've retrieved Clarity's blog posts and verified the required service signature.

Exercise: Creating Clarity's Blogs Service Access Policy

Here, you'll configure a service access policy to enable public access to the blog posting API endpoint for Clarity's dashboards.

  1. Signed in as the Clarity Admin on your Liferay instance, open the Global Menu (Global Menu), go to the Control Panel tab, and click Service Access Policy.

  2. Click New.

  3. Enter the following information for the new service access policy:

    • Name: BLOGS_POSTING_API_ACCESS
    • Enabled: True
    • Default: True
    • Title: Grants access to the BLOGS POSTING API requests

  4. Click Switch to Advanced Mode.

  5. Within Allowed Service Signatures, paste the previously identified service signature:

    com.liferay.headless.delivery.internal.resource.v1_0.BlogPostingResourceImpl

    Within Allowed Service Signatures, paste the previously identified service signature.

  6. Click Save.
    Now, you'll retry calling the REST API's request URL to simulate an API call from a dashboard.

  7. Open a new browser window in Incognito mode and navigate to the Request URL copied in the previous exercise.

    Open a new browser window in Incognito mode and navigate to the Request URL copied in the previous exercise.

You should now see a list of blog posts available to display within dashboards, as public access has been granted through the configured service access policy.

Exercise: Restricting Clarity's Secure Document Access with OAuth 2.0

Here, you'll register an OAuth 2.0 application to securely retrieve document data and display it with real-time updates within Clarity's dashboards.

  1. Signed in as the Clarity Admin on your Liferay instance, open the Global Menu (), go to the Control Panel tab, and click Roles.

  2. Create a new Regular Role called 'Headless API'.

    Create a new Regular Role called 'Headless API'.

  3. Assign the new Headless API Role to the Clarity Dashboard System Account user.

    Assign the new Headless API Role to the Clarity Dashboard System Account user.

    With a system user configured for testing purposes, you're ready to create an OAuth 2 application to read data on the user's behalf.

  4. Open the Global Menu (Global Menu), go to the Control Panel tab, and click OAuth 2 Administration.

  5. Click New.

  6. Fill out the following fields.

    Field Value
    Name Clarity Dashboard
    Website URL http://localhost:8080/
    Callback URIs http://localhost:8080/
    Client Authentication Method Client Secret Basic or Post
    Client Profile Web Application
    Allowed Authorization Types Client Credentials or JWT_BEARER
    Client Credentials User Clarity Dashboard System Account
     

    Fill out the following fields for the OAuth 2 application.

    NOTE
    The token's access permissions for the curl call are determined by the permissions of the user referenced in the Client Credentials User.

  7. Click Save.

  8. Click Edit for the Client Secret, and copy the displayed secret for use in a later step.

  9. Copy the Client ID for use in a later step.

  10. Click the Scopes tab.

  11. Select the LIFERAY.HEADLESS.DELIVERY service access policy.

  12. Check the read data on your behalf checkbox.

    Check the read data on your behalf checkbox.

  13. Click Save.
    Now, you're ready to grant permissions to the Headless API role to create tokens used in curl calls.

  14. Open the Global Menu (Global Menu), go to the Control Panel tab, and click OAuth 2 Administration.

  15. Click Actions (Actions) for Clarity Dashboard and select Permissions.

  16. Grant the Create Token permission for the Headless API role.

    Grant the Create Token permission for the Headless API role.

  17. Click Save.
    Next, you'll acquire the access token and test it with a curl command.

  18. Open a terminal window.

  19. In a terminal window, replace the CLIENT-ID and CLIENT-SECRET placeholder values with your own and execute the following command:
    Non-Windows

    curl -X POST -H "Content-Type: application/x-www-form-urlencoded" 'http://localhost:8080/o/oauth2/token?grant_type=client_credentials&client_id=[CLIENT-ID]&client_secret=[CLIENT-SECRET]'
    Windows 
    curl -X POST -H "Content-Type: application/x-www-form-urlencoded" --data "grant_type=client_credentials&client_id=[CLIENT-ID]&client_secret=[CLIENT-SECRET]" http://localhost:8080/o/oauth2/token

  20. Copy the returned access token. Example below:

    eyJ0eXAiOiJhdCtqd3QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI3NGY1NzRjOWU3ZWE4NWRkZjViMjY0OTViZDVhZDMzNzg1ODU3YzRhZDVjOWVkYTFjYzkyOGJjM2JmMjlmNyIsImNsaWVudF9pZCI6ImlkLTU0MzNkNDQ5LTM2NTktYzkyNy01NDI5LThkOWRhMzMxMWQ4IiwiaWF0IjoxNzQxODk3NTkyLCJleHAiOjE3NDE4OTgxOTIsInN1YiI6IjIwMTIyIiwidXNlcm5hbWUiOiJjbGFyaXR5YWRtaW4iLCJpc3MiOiJsb2NhbGhvc3QiLCJzY29wZSI6IkxpZmVyYXkuT2JqZWN0LkFkbWluLlJFU1QuZXZlcnl0aGluZyBMaWZlcmF5LkhlYWRsZXNzLkRlbGl2ZXJ5LmV2ZXJ5dGhpbmciLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIn0.hQw3sAyJXcIPcvLKyG1MExwkvNyrpBNdaFI0FdGdhAK9SbGQvRimX_3ZLL93aY4-q3dvG1F_ryHWNw79zCIQrZmfOkWoZ_D2KI-g1pqHv2indZg2crtXTufFP4-PQNCpGSv7PeVXT5TRwLahkwiueHYOuzrq5RpNM1DFYEmAfIWu30fH1Nt03iJZNe6mQnKwDB7olBSwotvAuALLWhK-e5-3yPW3_UKXBq19rFSUCHcJirATyMVRaMgUP92QDY2Mo2Hpe9o0vpLATLO_fDtrgHp7NYMoZD6Zz01wmu9dgCjgezADtcB3yMmNuScPwcmYGTtfDRbJajz9pxv6T1Q_oQ
    NOTE
    This access authorization token acts as your credentials, granting permission to interact with the API.

  21. In your terminal, replace the SITE-ID and ACCESS_TOKEN placeholders and execute the following command:
    Non-Windows

    curl http://localhost:8080/o/headless-delivery/v1.0/sites/[SITE-ID]/documents \
    -H 'Authorization: Bearer [ACCESS_TOKEN]'
    Windows 
    curl http://localhost:8080/o/headless-delivery/v1.0/sites/[SITE-ID]/documents -H "Authorization: Bearer [ACCESS_TOKEN]"

Using the configured OAuth 2.0 application, you're able to receive document information securely through Liferay's headless APIs.

Conclusion

Great! You've successfully configured Clarity's API access by enabling public access for blog content and securing document data with OAuth2 authentication. This approach balances open access for public resources while enforcing security for restricted assets, keeping Clarity's integrations both accessible and protected.

Next, you'll learn how to consume the API in both frontend and backend contexts.

  • Exercise: Retrieving Clarity's Blogs with Headless APIs

  • Exercise: Creating Clarity's Blogs Service Access Policy

  • Exercise: Restricting Clarity's Secure Document Access with OAuth 2.0

  • Conclusion
Loading Knowledge

Capabilities

Product

Education

Contact Us

Connect

Powered by Liferay
© 2024 Liferay Inc. All Rights Reserved • Privacy Policy