Authentication URL user registry
You can use an Authentication URL user registry to specify a REST authentication service that manages user authentication, and optionally provides additional metadata to be embedded in the token.
- Providing the authenticated credential to IBM® API
Connect. For example, the user
logs-in with user name: spoon, and password: fork.
When the user is authenticated, the credential becomes
cn=spoon,o=eatery. The credential is kept in the OAuth access_token to represent the user.
- Providing metadata support. Allow extra metadata to be stored in the
- Overriding the
scopethat the application receives after a successful OAuth protocol processing. By responding with a specific header, the Authentication URL endpoint can replace the
scopevalue that the application receives. For example, you can provide a specific resource owner an account number within the
scopeheader response for use in future processing steps.
When you call the Authentication URL user registry, the API Connect gateway sends a GET request with HTTP headers and then processes any HTTP response from the URL. For authentication, a REST authentication service is expected at the Authentication URL.
cn=spoon,o=eateryas the user identity.
HTTP/1.1 200 OK Server: example.org X-API-Authenticated-Credential: cn=spoon,o=eatery
For information on how to configure a User Security policy in an API assembly for use with an Authentication URL user registry, see User Security policy.
For an example of an OAuth provider configuration that uses an Authentication URL user registry, see Example - using multiple OAuth policies in an OAuth provider assembly.
API Connect considers any non-200 HTTP response code a failed user authentication attempt.
scopefrom the application. For more information, see Scope. The response header is: