Validate Access Token

Contents

Overview
Configuration

Overview

The OAuth 2.0 Validate Access Token filter is used to validate a specified access token contained in persistent storage. OAuth access tokens are used to grant access to specific resources in an HTTP service for a specific period of time (for example, photos on a photo sharing website). This enables users to grant third-party applications access to their resources without sharing all of their data and access permissions.

For more details on supported OAuth flows, see API Gateway OAuth 2.0 Authentication Flows.

Configuration

Configure the following fields on this tab:

Name:

Enter a suitable name for this filter.

Verify access token is in cache:

Click the browse button to select the cache in which to verify access token (for example, in the default OAuth Access Token Store). To add an access token store, right-click Access Token Stores, and select Add Access Token Store. You can store tokens in a cache, in a relational database, or in an embedded Cassandra database. For more details, see the section called “Managing Access Tokens and Authorization Codes”.

Location of access token:

Select one of the following:

  • In Authorization Header with prefix:

    The access token is in the Authorization header with the selected prefix. Defaults to Bearer. This is the default option.

  • In query string/form body with name:

    The access token is in the HTTP query string with the name specified in the text box.

  • In Attribute:

    The access token is in the API Gateway message attribute specified in the text box.

Validate Scopes:

Select one of the following options to configure how access tokens are accepted based on the validation of specified OAuth scopes:

  • Get scopes from list:

    Select whether scopes match Any or All of the configured scopes in the table, and click Add to add an OAuth scope. The default scopes are found in ${http.request.uri}.

  • Get scopes by calling policy:

    Select a pre-configured policy to get the scopes, and enter the attribute that stores the scopes in the Scopes required to access the resource are stored in the attribute textbox. Defaults to ${scopes.required}.

    Because the access token is in a message attribute on the whiteboard, you can use this policy to get the scopes for the access token and validate them against a scope list. In the event of a scope validation failure, you can set the ${scopes.required} message attribute. This ensures that the end-user sees a list of required scopes to access the resource in the response.

For example, the default scopes used in the OAuth demos are as follows: 

https://localhost:8090/auth/user.photos
https://localhost:8090/auth/userinfo.email

Prev     
  Home