OAuth context variables
You can customize the OAuth security flow in a native OAuth provider by adding multiple OAuth policies to the assembly. Each OAuth policy takes input from context variables and writes output to context variables. By using these OAuth context variables you can manipulate the original request, and process the output from an OAuth policy.
- Information variables, outputs of an OAuth policy.
- Processing variables, processed during the execution of an OAuth policy.
Information variables
These context variables are outputs of an OAuth policy. They are not used in the processing of the OAuth action.
oauth.result
- The result of the latest action; returns
SUCCESS
orFAILURE
. oauth.settings.variable_name
- Basic settings from the OAuth provider. The following context variables are
available:
oauth.settings.allowed_scopes oauth.settings.access_token_ttl oauth.settings.authorization_code_ttl oauth.settings.refresh_token_ttl oauth.settings.refresh_token_limit oauth.settings.maximum_consent_ttl
oauth.executed_components[0].variable_name
- The components that have executed in this transaction, with their result. If a failure occurs
then the error and error description will be added. The following context variables are
available:
The possible values for theoauth.executed_components[0].result oauth.executed_components[0].type oauth.executed_components[0].error_description oauth.executed_components[0].error
type
variable are as follows:
The following example shows a corresponding JSON extract from the OAuth context:ValidateRequestComponent GenerateAZCodeComponent VerifyAZCodeComponent VerifyRefreshTokenComponent GenerateAccessTokenComponent IntrospectTokenComponent RevokeTokenComponent CollectMetaDataComponent
"executed_components": [ { "type": "ValidateRequestComponent", "result": "SUCCESS" }, { "type": "GenerateAccessTokenComponent", "result": "SUCCESS" } ]
oauth.verified_access_token.variable_name
- The token that was verified in the security requirement for a native OAuth provider. The
following context variables are
available:
oauth.verified_access_token.access_token oauth.verified_access_token.client_id oauth.verified_access_token.consented_on oauth.verified_access_token.consented_on_text oauth.verified_access_token.grant_type oauth.verified_access_token.misc_info oauth.verified_access_token.not_after oauth.verified_access_token.not_after_text oauth.verified_access_token.not_before oauth.verified_access_token.not_before_text oauth.verified_access_token.one_time_use oauth.verified_access_token.resource_owner oauth.verified_access_token.scope
oauth.third_party.variable_name
- The token that was verified in the security requirement for a third party OAuth provider.
Provides the following information:
- The response headers from the external, third-party OAuth provider.
- The body of response from the external, third-party OAuth provider.
- Whether the response is cached. When cached, the value is
true
. When not cached, the value isfalse
.
oauth.third_party.headers oauth.third_party.response oauth.third_party.cached
oauth.code.variable_name
- The code that was generated during the execution of a component of type
GenerateAZCodeComponent
. The following context variables are available:oauth.code.client_id oauth.code.code oauth.code.redirect_uri oauth.code.resource_owner oauth.code.scope
oauth.token.variable_name
- The token that was generated during the execution of a component of type
GenerateAccessTokenComponent
. The following context variables are available:oauth.token.token_type oauth.token.access_token oauth.token.scope oauth.token.expires_in oauth.token.consented_on oauth.token.redirect_uri oauth.token.resource_owner oauth.token.client_id oauth.token.refresh_token oauth.token.refresh_token_expires_in oauth.token.refresh_token_count
oauth.introspect.variable_name
- The token that was introspected during execution of a component of type
IntrospectTokenComponent
. The following context variables are available:oauth.introspect.active oauth.introspect.scope oauth.introspect.client_id oauth.introspect.resource_owner oauth.introspect.token_type oauth.introspect.grant_type oauth.introspect.ttl oauth.introspect.expires oauth.introspect.expires_text oauth.introspect.iat oauth.introspect.not_before oauth.introspect.not_before_text oauth.introspect.consented_on oauth.introspect.consented_on_text oauth.introspect.one_time_use
oauth.external_manager.variable_name
- Token management when using an external token manager. Provides the following information:
- The response headers from the external management server.
- The response JSON body from the external management server.
- When caching is enabled, whether the response is found in the cache or set in the cache. When caching is not enabled, that the response is not set in the cache.
oauth.external_manager.headers oauth.external_manager.response oauth.external_manager.cached
Processing variables
oauth.processing.assertion
oauth.processing.client_id
oauth.processing.client_secret
oauth.processing.grant_type
oauth.processing.redirect_uri
oauth.processing.scope
oauth.processing.response_type
oauth.processing.state
oauth.processing.resource_owner
oauth.processing.refresh_token
oauth.processing.code
oauth.processing.token
oauth.processing.token_type_hint
oauth.processing.nonce
oauth.processing.max_age
oauth.processing.oidc_values_requested
oauth.processing.id_token_requested
oauth.processing.oidc_signing_algorithm
oauth.processing.code_challenge
oauth.processing.code_challenge_method
oauth.processing.code_verifier
oauth.processing.metadata.access_token
oauth.processing.metadata.payload
oauth.processing.metadata.azcode_miscinfo
oauth.processing.verified_code.client_id
oauth.processing.verified_code.resource_owner
oauth.processing.verified_code.misc_info
oauth.processing.verified_code.scope
oauth.processing.verified_code.is_verified
oauth.processing.verified_code.nonce
oauth.processing.verified_refresh_token.client_id
oauth.processing.verified_refresh_token.resource_owner
oauth.processing.verified_refresh_token.misc_info
oauth.processing.verified_refresh_token.scope
oauth.processing.verified_refresh_token.refresh_token_count
oauth.processing.verified_refresh_token.is_verified
oauth.processing.verified_refresh_token.one_time_use
oauth.processing.verified_refresh_token.grant_type
gateway-script
policy
that executes before an OAuth policy in your API assembly and adds a custom scope to the
request:// Add another custom scope to the request
let scope = context.get("request.parameters.scope.values[0]");
if (scope)
context.set("oauth.processing.scope", scope + " custom");
gateway-script
policy
that between OAuth policies in your assembly and modifies the scope depending on the resource
owner:// Check resource owner and modify the scope
let owner = context.get("oauth.processing.resource_owner");
let scope = context.get("oauth.processing.scope");
if (owner === 'admin') {
context.set("oauth.processing.scope", scope + " admin");
} else {
context.set("oauth.processing.scope", scope + " customer");
}
Advanced scope context variables
The following context variables are used in OAuth advanced scope checking. They are populated by the values entered in the Endpoint and TLS Client Profile fields for the Application scope check and Owner scope check in the native OAuth provider configuration. Do not change these values as this might result in incorrect advanced scope operation.
For information on scope configuration, see Configuring scopes for a native OAuth provider. For information on advanced scope checking, see Scope.
oauth.advscope.app.url
oauth.advscope.app.tls-profile
oauth.advscope.own.url
oauth.advscope.own.tls-profile
Custom error context variables
oauth.custom_error.status.code
oauth.custom_error.status.reason
oauth.custom_error.message
oauth.custom_error.description