DataPower API Gateway only

Token Mediation

The Token Mediation policy acts as a mediator for OAuth tokens by caching the token and exchanging it for a session cookie via a set-cookie header. It enables clients to retrieve the cached token from policy or have the policy set the HTTP Authorization header for OAuth resource access.

Table 1. Gateway support
Gateway Policy version
DataPower® API Gateway 2.0.0
Note: The Token Mediation policy will only work for the DataPower API Gateway. The DataPower firmware version that the API Gateway is running on must be LTS 10.6.0.0 (or later) or CD firmware release 10.6.3 (or later).

This topic describes how to configure the policy in the assembly user interface; for details on how to configure the policy in your OpenAPI source, see token-mediation.

Prerequisites

Before using the Token Mediation policy, ensure that distributed variable settings are enabled. Distributed variables allow you to read from or write to DataPower® facilities across transactions or domains. They serve as an alternative to system variables and must be enabled for the registration process to function end-to-end (E2E). For more details, see Configuring settings to manage distributed variables.

About

The Token Mediation policy (token-mediation_2.0.0) serves as a mediator for OAuth tokens by caching the token received from an OAuth Token Endpoint and exchanging it for a session cookie, which is sent to the Client Application via a Set-Cookie header. Depending on the policy configuration, this session token can be used to (A) retrieve the original token from the cache or (B) instruct the policy to set the HTTP Authorization header for seamless access to resources on the Resource Server.

Properties

The following table lists the policy properties, indicates whether a property is required, specifies the valid and default values for input, and specifies the data type of the values.

Table 2. Token Mediation policy properties
Property label Required Description Data type
Title No The title of the policy. string
Description No A description of the policy. string
Cookie Name Yes The name of session cookie returned to the client application. string
Token Endpoint URL Yes The URL of the OAuth provider's Token Endpoint. string
Token Endpoint TLS Profile No The TLS profile used for connecting to the Token Endpoint URL.
Note: The Token Endpoint TLS Profile property is optional for this policy but may be required by the Token Endpoint, and it is the responsibility of the policy user to determine its necessity. The policy must match the exact DataPower object name. For TLS profiles created by API Connect, the DataPower object follows this naming convention: <provider-org>_<catalog>_<tls-profile-name>V<tls-profile-version>. Example: myorg_mycatalog_my-tls-profile1.0.0.
 string
Authorization Endpoint URL Yes The URL of the OAuth provider's Authorization Endpoint. string
Output No The output context that receives the Authorization header.
Note: The output parameter plays a key role in policy behavior. When specified, the policy retrieves the Access Token Response from the cache, extracts the access token (if available), and sets the Authorization header in the designated output message context. If the output parameter is not specified, the policy writes the Access Token Response to the message context and sets the Content-Type header to application/json.
 string