oauth

Use the oauth policy to policy to perform OAuth processing based on defined OAuth provider settings.

Gateway support

Table 1. Table showing which gateways support this policy, and the corresponding policy version
Gateway Policy version
DataPower® API Gateway 2.0.0

This topic describes how to configure the policy in your OpenAPI source; for details on how to configure the policy in the assembly user interface, see OAuth.

About

The oauth policy has the following format:
- oauth:
  version: version
  title: title
  description: description
  oauth-provider-settings-ref:
           .
           .
           .
    references_to_oauth_settings
           .
           .
           .
  supported-oauth-components:
    - oauth_component_1
    - oauth_component_2
           .
           .
           .
  
Note: You add an oauth policy to the OpenAPI source in a native OAuth provider. For more information, see the following topics:

Properties

Table 2. oauth policy properties
Property Required Description Data type
version Yes The policy version number string
title No A title for the policy. string
description No A description of the policy. string
oauth-provider-settings-ref:
  default
Yes The name of an existing OAuth provider that defines the required settings. string
oauth-provider-settings-ref:
  url
No A URL to a document that contains serialized XML or JSON properties that defines OAuth token generate settings. URL reference takes precedence over any existing literal configuration or object reference. string
oauth-provider-settings-ref:
  literal
No A literal string that contains serialized XML or JSON properties that defines OAuth token generate settings. Literal configuration takes precedence over any existing object reference. string
supported-oauth-components:
  - oauth_component_1
  - oauth_component_2
         .
         .
         .
Yes Specify the OAuth components that are supported by this policy, as follows:
- OAuthValidateRequest
Validates the authorization request from the client.
- OAuthGenerateAZCode
Generates the authorization code for the client, which represents the resource owner's authorization that grants access to the requested resource.
- OAuthVerifyAZCode
Verifies the authorization code from the client.
- OAuthVerifyRefreshToken
Verifies the refresh token that is presented by the client.
- OAuthCollectMetadata
Collects metadata about a client for later user interaction
- OAuthGenerateAccessToken
Generates the access token to the client when the authorization code or refresh token is verified.
- OAuthIntrospectToken
Introspects the token to determine its state and, when active, its metadata.
string

Overriding default OAuth provider settings

You can use either the literal property or the url property to dynamically override any OAuth provider configuration settings to dynamically override any OAuth provider configuration settings defined by the default property.

For example, to override the access token expiration time with a value of 200 seconds, include the following configuration in either the literal string or the document at the specified URL:
<OAuthProviderSettings><APICAccessTokenTTL>200</APICAccessTokenTTL></OAuthProviderSettings>

For a list of all OAuth provider settings, refer to the OAuthProviderSettings management schema, defined in the xml-mgmt.xsd file located in the store: directory on the DataPower API Gateway.

If you are using the API Manager user interface, the connection details are determined by the API Manager URL that you open, and the user ID with which you log in. If you are using the API Designer user interface, you provide the management server details and user ID in the login window that opens when you first launch API Designer; see Logging into API Designer.

oauth policy example


- oauth:
    version: 2.0.0
    title: my-oauth-policy
    oauth-provider-settings-ref:
      default: my-oauth
    supported-oauth-components:
      - OAuthGenerateAZCode
      - OAuthGenerateAccessToken
      - OAuthIntrospectToken
      - OAuthVerifyAZCode
      - OAuthVerifyRefreshToken