Contents
You can use the Retrieve OAuth Client Access Token from Token Storage filter to retrieve a stored access token from a client access token store.
Tokens received from OAuth providers are stored in a Client Access Token Store. You can configure client access token stores under the Libraries > OAuth2 Stores node in the Policy Studio tree view. Similar to an Access Token Store, this store can be backed by an API Gateway cache (default), a Relational Database Management System (RDBMS), or the embedded Apache Cassandra database. (For more details, see the section called “Manage access tokens and authorization codes”.)
A configured token store is associated with an OAuth provider (see the section called “Add OAuth 2.0 provider”) and is shared by all client applications registered with that provider.
These stored tokens can be retrieved by this filter by specifying the OAuth2 provider profile (the client
application registered with a provider). Stored tokens are indexed by the client ID of the the client
application and the authentication subject id
of the current user. If authentication.subject.id
is not available, the client ID is used for
both indexes. This is valid for grant types that treat the client application as the resource owner, that is,
client credentials, JWT, and SAML (when no resource owner is specified).
If a valid token is found by this filter it is placed on the message board as
oauth.client.accesstoken
, and the filter passes. If the token is expired, or there is no token
found, the filter fails (expired tokens are still placed on the message board).
The fail path can be used to refresh an expired token or start the process of requesting a token.
The client application is also placed on the message board, under the attribute name
oauth.client.application
, for use in subsequent filters.