Token management with the DataPower API Gateway
API Connect can use the DataPower distributed cache to manage the token lifecycle that includes when to revoke access rights.
.
.
.
spec:
.
.
.
apicGatewayServiceV5CompatibilityMode: false
tokenManagementService:
enabled: true
.
.
.
For more information, see Installing the
DataPower Gateway subsystem.Token management relies on gateway-peering to distribute the cache for revocation details within a gateway cluster node, and does not propagate across different gateway clusters. In order to enforce token management across different gateway clusters, you must use the external token store and set the Token Management Type to External in your native OAuth provider configuration.
In order to manage tokens with the DataPower® API Gateway, you must set the Token Management Type to Native in your Native OAuth provider configuration. See Configuring token management and revocation for a native OAuth provider when using Cloud Manager or Configuring token management and revocation for a native OAuth provider when using API Manager.
Introspect
cache type
is set to protocol
or Time to live
.For token management with the DataPower API Gateway, you must configure the API Security Token Manager on the gateway. Complete the following steps:
For more information, see Defining the API security token manager and Creating a gateway peering instance.
Resource owner revocation
When Resource owner revocation path is selected in the Token Management screen, the configuration inserts two REST API calls to /oauth2/issued.
- An HTTP GET operation that retrieves a list of all granted permissions for a specific user.
- An HTTP DELETE operation that revokes an application for a specific user.
The setting inserts header-based security definitions of client ID and client secret as shown in the View permissions example. The API call to revoke a given application for a given user is shown in the Revoke permissions example.
- View permissions example
-
To list all the applications granted by user
cn=spoon,o=ibm
with usernamespoon
and passwordspoon
using a registered administration application of5287fe53-8747-438a-8262-681ec75b79c5
.- Request:
GET /oauth2/issued HTTP/1.1 Host: apic.ibm.com x-ibm-client-id: 5287fe53-8747-438a-8262-681ec75b79c5 x-ibm-client-secret: E2qM6mG2bX2uC1xT2iN1uU6bT5cV4dN7nW5kM5uP8vL3uF3cT7 Authorization: Basic c3Bvb246c3Bvb24=
- Response:
HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache [ { "clientId": "5287fe53-8747-438a-8262-681ec75b79c5", => same client id as request "owner": "cn=spoon,o=ibm", "clientName": "PetStore Application", "scope": "listpet", "issuedAt": 1503327054, "consentedOn": 1503327054, "expiredAt": 1503330654, "refreshTokenIssued": false, "appId": "d2031f0f27339315333734ab9", "org": "PetStoreOrg", "orgTitle": "Katie Pet Grooming Inc", "orgId": "5887803de4b06e6998c4b2c7", "provider": "SuperStore", "providerTitle": "Simon SuperStore", "providerId": "5887803de4b06e6998c4b2c7", "catalog": "publicapi", "catalogTitle": "For public", "catalogId": "5887803de4b06e6998c4b2d3" } => delete second item ]
- Request:
- Revoke permissions example
-
To revoke application
a8746323-9825-a842-8736-abd8202356ac8
by ownercn=spoon,o=ibm
.- Request
DELETE /oauth2/issued?client-id=a8746323-9825-a842-8736-abd8202356ac8 HTTP/1.1 Host: apic.ibm.com x-ibm-client-id: a8746323-9825-a842-8736-abd8202356ac8 => same client id as delete request x-ibm-client-secret: E2qM6mG2bX2uC1xT2iN1uU6bT5cV4dN7nW5kM5uP8vL3uF3cT7 Authorization: Basic c3Bvb246c3Bvb24=
- Response
HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: private, no-store, no-cache, must-revalidate Pragma: no-cache { "status": "success" }
- Request
Client revocation
When Client revocation path is selected in the Token Management screen, the result is the following:
This option inserts one REST API call to /oauth2/revoke, which supports
OAuth 2.0 IETF RFC
7009. An HTTP POST operation that an application can send to this API to revoke either an
access_token
, or refresh_token
with
token_type_hint
as shown in the following examples:
- Revoke
access_token
-
- Request:
POST /oauth2/revoke HTTP/1.1 Host: apic.ibm.com x-ibm-client-id: 5287fe53-8747-438a-8262-681ec75b79c5 x-ibm-client-secret: E2qM6mG2bX2uC1xT2iN1uU6bT5cV4dN7nW5kM5uP8vL3uF3cT7 Content-Type: application/x-www-form-urlencoded token_type_hint=access_token&token=AAIHZGVmYXVsdD1-KqwD0Yc3EDn94lSWX14xuR....
- Response:
HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: private, no-store, no-cache, must-revalidate Pragma: no-cache { "status": "success" }
- Request:
- Revoke
refresh_token
-
- Request:
POST /oauth2/revoke HTTP/1.1 Host: apic.ibm.com x-ibm-client-id: 5287fe53-8747-438a-8262-681ec75b79c5 x-ibm-client-secret: E2qM6mG2bX2uC1xT2iN1uU6bT5cV4dN7nW5kM5uP8vL3uF3cT7 Content-Type: application/x-www-form-urlencoded token_type_hint=refresh_token&token=........
- Response:
HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: private, no-store, no-cache, must-revalidate Pragma: no-cache { "status": "success" }
- Request: