Consume REST API protected by OAuth2.0

Consume REST API protected by OAuth2.0


I am trying to understand how much manual work I need to do vs how much automated logic is built with OutSystems when it comes to consume REST APIs that are protected by custom OAuth2.0 authoriser.

Here is the situation: We have bunch of REST APIs deployed on AWS API Gateway and we are using Custom Authoriser. The Authoriser protects access to each API endpoint. The Authoriser expects Bearer token to be included in each request before granting access to the API endpoint. The Bearer token is generated when the user supply Basic auth header with username and password.

Without using OutSystem, the web app/mobile app would typically submits this Bearer token with every request to the REST API. But with OutSystems, how does this work? Do I have to manually create 'Authorization' header and submits the Bearer token on every single request? or does OutSystems handles this behind the scene for me (given that OutSystems is low-code platform)?

I have followed the documentation:

But it goes as far as talking on how to submit the username and password in the Basic Auth header but no mention what so ever about how OutSystems handles subsequent requests when calling the REST API and how it handles expiry of the Bearer token.

Does anyone have some guidelines or documentation?

Is my expectation of OutSystems to handle a lot of that for me behind the sense is sensible or am I expecting too much? Do I have to handle token submission and expiration manually?


On the implementation I had, I have to request the token manually and place the token on the header with a prefix "Bearer" for each request that requires it.  An action that wraps the API could do the tracking of expiry and requesting for new token.

Though this blog post is for  OAuth2 provider, the topic  - The Token Request, Refresh, and Validate should give you idea on API consumption.

First check if Bearer token is same for all the APIs is same or each API needs different Bearer token.

If token is same, then check after what interval it gets expired.

If it's getting expired after #hours and if it is same for all the APIs, store that somewhere in site property or DB (recommended).

Then check in which format your API needs token and you need to send that token in your header whenever you call the API.

Thank you @John & @Suraj for your feedback and input.

So I guess the solution is as I was expecting which is to track and supply the token manually rather than delegating this task to the OurSystems platform.