token-mediation

The token-mediation policy acts as a mediator for OAuth tokens by caching the token and exchanging it for a session cookie via a set-cookie header. It enables clients to retrieve the cached token from policy or have the policy set the HTTP Authorization header for OAuth resource access.

Table 1. Gateway support
Gateway	Policy version
DataPower® API Gateway	2.0.0

Note: The token-mediation policy will only work for the DataPower API Gateway. The DataPower firmware version that the API Gateway is running on must be LTS 10.6.0.0 (or later) or CD firmware release 10.6.3 (or later).

This topic describes how to configure the policy in the assembly user interface; for details on how to configure the policy in your OpenAPI source, see Token Mediation.

Prerequisites

Before using the token-mediation policy, ensure that distributed variable settings are enabled. Distributed variables allow you to read from or write to DataPower® facilities across transactions or domains. They serve as an alternative to system variables and must be enabled for the registration process to function end-to-end (E2E). For more details, see Configuring settings to manage distributed variables.

About

The token-mediation policy (token-mediation_2.0.0) serves as a mediator for OAuth tokens by caching the token received from an OAuth Token Endpoint and exchanging it for a session cookie, which is sent to the Client Application via a Set-Cookie header. Depending on the policy configuration, this session token can be used to (A) retrieve the original token from the cache or (B) instruct the policy to set the HTTP Authorization header for seamless access to resources on the Resource Server.

Properties

The following table lists the policy properties, indicates whether a property is required, specifies the valid and default values for input, and specifies the data type of the values.

Table 2. token-mediation policy properties
Property label	Required	Description	Data type
`title`	No	The title of the policy.	string
`description`	No	A description of the policy.	string
`cookie- name`	Yes	The name of session cookie returned to the client application.	string
`token-url`	Yes	The URL of the OAuth provider's Token Endpoint.	string
`token-url-tls`	No	The TLS profile used for connecting to the `token-url`. Note: The `token-url-tls` property is optional for this policy but may be required by the Token Endpoint, and it is the responsibility of the policy user to determine its necessity. The policy must match the exact DataPower object name. For TLS profiles created by API Connect, the DataPower object follows this naming convention: `<provider-org>_<catalog>_<tls-profile-name>V<tls-profile-version>`. Example: `myorg_mycatalog_my-tls-profile1.0.0`.	string
`auth-url`	Yes	The URL of the OAuth provider's Authorization Endpoint.	string
`output`	No	The output context that receives the Authorization header. Note: The `output` parameter plays a key role in policy behavior. When specified, the policy retrieves the Access Token Response from the cache, extracts the access token (if available), and sets the Authorization header in the designated output message context. If the `output` parameter is not specified, the policy writes the Access Token Response to the `message` context and sets the `Content-Type` header to `application/json`.	string