The OAuth 2.0 Access Token Information filter is used to return a JSON description of the specified OAuth 2.0 access token. OAuth access tokens are used to grant access to specific resources in an HTTP service for a specific period of time (for example, photos on a photo sharing website). This enables users to grant third-party applications access to their resources without sharing all of their data and access permissions.
An OAuth access token can be sent to the Resource Server to access the protected resources of the Resource Owner (user). This token is a string that denotes a specific scope, lifetime, and other access attributes. For details on supported OAuth flows, see API Gateway OAuth 2.0 Authentication Flows.
Configure the following fields on this tab:
Token to verify can be found here:
Click the browse button to select the location of the access token to verify (for example, in the default OAuth Access Token Store). To add a store, right-click Access Token Stores, and select Add Access Token Store. You can store tokens in a cache, in a relational database, or in an embedded Cassandra database. For more details, see the section called “Managing Access Tokens and Authorization Codes”.
Where to get access token from?:
Select one of the following:
-
In Query String:
This is the default setting. Defaults to the
access_tokenparameter. -
In a selector:
Defaults to the
${http.client.getCgiArgument('access_token')}selector. For more details on API Gateway selectors, see the API Gateway User Guide.
The settings on this tab configure service-level monitoring options such as whether to store usage metrics data to a database. This information can be used by the web-based API Gateway Manager tool to display service use, and by the API Gateway Analytics tool to produce reports on how the service is used.
-
Monitor service usage:
Select this option if you want to store message metrics for this service.
-
Monitor service usage per client:
Select this option if you want to generate reports monitoring which authenticated clients are calling which services.
-
Monitor client usage:
If you want to generate reports on authenticated clients, but are not interested in which services they are calling, select this option and deselect Monitoring service usage per client.
-
Which attribute is used to identify the client?:
Enter the message attribute to use to identify authenticated clients. The default is
authentication.subject.id, which stores the identifier of the authenticated user (for example, the username or user's X.509 Distinguished Name). -
Composite Context:
This setting enables you to select a service context as a composite context in which multiple service contexts are monitored during the processing of a message. This setting is not selected by default.
For example, the API Gateway receives a message, and sends it to
serviceAfirst, and then toserviceB. Monitoring is performed separately for each service by default. However, you can set a composite service context beforeserviceAandserviceBthat includes both services. This composite service passes if both services complete successfully, and monitoring is also performed on the composite service context.
The settings on this tab include the following:
Return additional Access Token parameters:
Click Add to return additional access token parameters, and enter
the Name and Value in the dialog. For example,
you could enter Department in Name, and the following
selector in Value:
${accesstoken.getAdditionalInformation().get("Department")
