Authentication URL

This support can optionally enable any of the following:

• Provide the authenticated credential to API Connect. For example, the user logs-in with user name: spoon, and password: passw0rd. When the user is authenticated, the credential becomes cn=spoon,o=eatery. The credential is kept in the OAuth access_token to represent the user.
• Provide metadata support. Allow extra metadata to be kept in the access_token.
• Override the scope that the application receives after a successful OAuth protocol processing. By responding with a specific header, the Authentication URL endpoint can replace the scope value that the application receives. For example, you can provide a specific resource owner an account number within the scope header response for use in future processing steps.

The following response from the REST authentication service indicates that user authentication is successful and that API Connect will use cn=spoon,o=eatery as the user identity.

HTTP/1.1 200 OK
Server: example.org
API-Authenticated-Credential: cn=spoon,o=eatery

When Authentication URL is invoked, two HTTP response headers are available that include metadata in the access token or the response payload that contains the access token. For more information, see OAuth metadata URL and authentication URL. The two metadata response headers are:

API-OAUTH-METADATA-FOR-ACCESSTOKEN
API-OAUTH-METADATA-FOR-PAYLOAD

From version 5.0.7.3 onward, when Authentication URL is invoked, an HTTP response header is available to override the requested scope from the application. For more information, see OAuth scope. The response header is:

x-selected-scope