Authentication URL user registry
You can use an Authentication URL user registry to specify a REST authentication service to manage user authentication, and to optionally provide additional metadata to be embedded in the token.
- Providing the authenticated credential to IBM® API
Connect. For example, the user
logs-in with user name: spoon, and password: fork.
When the user is authenticated, the credential becomes
cn=spoon,o=eatery
. The credential is kept in the OAuth access_token to represent the user. - Providing metadata support. Allow extra metadata to be stored in the
access_token
. - Overriding the
scope
that the application receives after a successful OAuth protocol processing. By responding with a specific header, the Authentication URL endpoint can replace thescope
value that the application receives. For example, you can provide a specific resource owner an account number within thescope
header response for use in future processing steps.
When you call the Authentication URL user registry, the API Connect gateway sends a GET request with HTTP headers and then processes any HTTP response from the URL. For authentication, a REST authentication service is expected at the Authentication URL.
cn=spoon,o=eatery
as the user
identity.HTTP/1.1 200 OK
Server: example.org
X-API-Authenticated-Credential: cn=spoon,o=eatery
For information on how to configure a User Security policy in an API assembly for use with an Authentication URL user registry, see User Security policy.
For an example of an OAuth provider configuration that uses an Authentication URL user registry, see Example - using multiple OAuth policies in an OAuth provider assembly.
API Connect considers any non-200 HTTP response code a failed user authentication attempt.
API-OAUTH-METADATA-FOR-ACCESSTOKEN
API-OAUTH-METADATA-FOR-PAYLOAD
scope
from the application. For more information, see Scope. The response header
is: x-selected-scope