OAuth context variables

The context variables that represent the properties that are used in an OAuth flow.

OAuth context variables represent the properties that are used in an OAuth flow. These variables are either information variables or processing variables. For variables that are specific to OIDC processing, see OAuth OIDC context variables.
  • Information variables are the outputs of OAuth policies. The following variables are not used in the processing of the OAuth policy.
    oauth.code.variable
    The GenerateAZCodeComponent OAuth component generates the authorization code for the client, which represents the resource owner's authorization that grants access to the requested resource. See oauth.code.variable for details.
    oauth.executed_components.variable
    The components processed in this transaction with their results. If a failure occurs, the error and error description is added. See oauth.executed_components.variable for details.
    oauth.external_manager.variable
    Token management that uses an external management server. See oauth.external_manager.variable for details.
    oauth.introspect.variable
    The IntrospectTokenComponent OAuth component introspects the token to determine its state. When the state is active, introspect its metadata. See oauth.introspect.variable for details.
    oauth.result
    The result of the last OAuth policy, which is SUCCESS or FAILURE.
    oauth.settings.variable
    The basic settings from OAuth provider settings. See oauth.settings.variable for details.
    oauth.third_party.variable
    Access token verification by a third-party provider is not defined in an OAuth policy, but in the API security OAuth requirement. See oauth.third_party.variable for details.
    oauth.token.variable
    The GenerateAccessTokenComponent OAuth component generates the access token to the client when the authorization code or refresh token is verified. See oauth.token.variable for details.
    oauth.verified_access_token.variable
    Access token verification by a native provider is not defined in an OAuth policy, but in the API security OAuth requirement. See oauth.verified_access_token.variable for details.
  • Processing variables are from OAuth processing. When the following variables are set before an OAuth policy, their value overrides the value in the request.
    oauth.processing.variable
    The ValidateRequestComponent OAuth component validates the incoming request from the client. See oauth.processing.variable for details.
    oauth.processing.jwt.claims.variable
    The JWT claims in the token with its value. These variables are the JWT claims that the OAuth specification defines.
    oauth.processing.metadata.variable
    The CollectMetaDataComponent OAuth component collects metadata from the authentication URL and the metadata URL. See oauth.processing.metadata.variable for details.
    oauth.processing.verified_code.variable
    The VerifyAZCodeComponent OAuth component verifies the authorization code from the client. This component has processing variables. See oauth.processing.verified_code.variable for details.
    oauth.processing.verified_refresh_token.variable
    The VerifyRefreshTokenComponent OAuth component verifies the refresh token from the client. This component has processing variables. See oauth.processing.verified_refresh_token.variable for details.
    Processing context variables can be modified in a GatewayScript before an OAuth policy or between OAuth policies.
    GatewayScript before an OAuth policy
    // Add another custom scope to the request
let scope = context.get("request.parameters.scope.values[0]");
context.set("oauth.processing.scope", scope + " custom");
    GatewayScript between OAuth policies
    // Check resource owner and modify the scope
let owner = context.get("oauth.processing.resource_owner");
let scope = context.get("oauth.processing.scope");

if (owner === 'admin') {
    context.set("oauth.processing.scope", scope + " admin");
} else {
    context.set("oauth.processing.scope", scope + " customer");
}

oauth.code.variable

The following list provides only the variable portion of the context variable.

  • client_id - The identifier of the client. The maximum supported string length is 512 characters.
  • code - The authorization code that the resource owner generates and grants to the client.
  • redirect_uri - The client redirect URI that is carried in the code.
  • resource_owner - The authenticated user.
  • scope - The space-delimited string of scopes to allow access to.

oauth.executed_components.variable

The following list provides only the variable portion of the context variable.

  • result - The processing result for the OAuth component, which is SUCCESS or FAILURE.
  • type - The processed OAuth component, which can be one or more of the following values.
    • ValidateRequestComponent
    • GenerateAZCodeComponent
    • VerifyAZCodeComponent
    • VerifyRefreshTokenComponent
    • GenerateAccessTokenComponent
    • IntrospectTokenComponent
    • RevokeTokenComponent
    • CollectMetaDataComponent
  • error - The ASCII OAuth message code.
  • error_description - The text that provides additional information about the error.
The following example illustrates a response.
"executed_components": [
  {
    "type": "ValidateRequestComponent",
    "result": "SUCCESS"
  },
  {
    "type": "GenerateAccessTokenComponent",
    "result": "SUCCESS"
  }

oauth.external_manager.variable

The following list provides only the variable portion of the context variable.

  • headers - The response headers from the external management server.
  • response - The response JSON body from the external management server.
  • cached - When caching is enabled, whether the response is found in the cache or set in the cache. Without caching, the response is not in the cache.

oauth.introspect.variable

The following list provides only the variable portion of the context variable.

  • active - The Boolean value that indicates whether the presented token is active.
  • scope - The space-delimited string of scopes to allow access to.
  • client_id - The identifier of the client. The maximum supported string length is 512 characters.
  • resource_owner - The authenticated user.
  • token_type - The type of token.
  • grant_type - The grant type, which is the method to grant authorization to the client.
  • ttl - The lifetime in seconds for the token.
  • expires - The remaining time in seconds that the consent remains valid.
  • expires_text - The remaining time in a string type that the consent remains valid.
  • iat - The time when the token was issued.
  • not_before - The time in seconds since the epoch before which the token cannot be accepted.
  • not_before_text - The time in a string type before which the token cannot be accepted.
  • consented_on - The time in seconds since the epoch when the resource owner gave consent to the client.
  • consented_on_text - The time in string type when the resource owner gave consent to the client.
  • one_time_use - The Boolean value that indicates whether the token is a one-time use token.
  • must_expire_on - The maximum consent in seconds for a refresh token.
  • must_expire_on_text - The maximum consent in a string type for a refresh token.

oauth.processing.variable

The following list provides only the variable portion of the context variable.

  • client_id - The identifier of the client. The maximum supported string length is 512 characters.
  • client_secret - The private secret that is known to only the client and the authorization server.
  • grant_type - The grant type, which is the method to grant authorization to the client.
  • assertion - In the JWT flow, the value of the assertion request parameter, which is to be the ID token.
  • redirect_uri - The client redirect URI that is carried in the code or token.
  • scope - The space-delimited string of scopes to allow access to.
  • response_type - The requested token type that the authorization server generated.
  • state - The unique string in the authorization request that is returned in the response.
  • resource_owner - The authenticated user.
  • refresh_token - The refresh token string that is issued to the client.
  • code - The authorization code that the resource owner generates and grants to the client.
  • token - The string value of the token.
  • token_type_hint - The hint about the type of token.
  • nonce - The random string value that associates a client session with an ID token to prevent a replay attack.
  • max_age - The authentication lifetime in seconds before reauthentication is needed.
  • oidc_values_requested - The requested values for claims.
  • id_token_requested - The Boolean value that indicates whether an ID token must be acquired for retrieved credentials.
  • oidc_signing_algorithm - The signing algorithm.
  • code_challenge - The transformed version of the client-generated secret.
  • code_challenge_method - The method used to transform the client-generated secret.
  • code_verifier - The client-created secret.

oauth.processing.metadata.variable

The following list provides only the variable portion of the context variable.

  • access_token - The access token string that is issued to the client.
  • payload - The metadata for the response on token generation.
  • azcode_miscinfo - The metadata from the authorization code.

oauth.processing.verified_code.variable

The following list provides only the variable portion of the context variable.

  • client_id - The identifier of the client. The maximum supported string length is 512 characters.
  • resource_owner - The authenticated user.
  • misc_info - The metadata that is carried with the code.
  • scope - The space-delimited string of scopes to allow access to.
  • is_verified - The Boolean value that indicates whether the code was verified.
  • nonce - The random string value that associates a client session with an ID token to prevent a replay attack.

oauth.processing.verified_refresh_token.variable

The following list provides only the variable portion of the context variable.

  • client_id - The identifier of the client. The maximum supported string length is 512 characters.
  • resource_owner - The authenticated user.
  • misc_info - The metadata that is carried with the access token.
  • scope - The space-delimited string of scopes to allow access to.
  • refresh_token_count - The number of times the refresh token was refreshed.
  • is_verified - The Boolean value that indicates whether the token was verified.
  • one_time_use - The Boolean value that indicates whether the token is a one-time use token.
  • grant_type - The grant type, which is the method to grant authorization to the client.

oauth.settings.variable

The following list provides only the variable portion of the context variable.

  • allowed_scopes - The space-delimited string of scopes that the provider supports.
  • access_token_ttl - The lifetime in seconds for the access token.
  • authorization_code_ttl - The lifetime in seconds for the authorization code.
  • refresh_token_ttl - The lifetime in seconds for the refresh token.
  • refresh_token_limit - The maximum number of refresh tokens allowed.
  • maximum_consent_ttl - The lifetime in seconds for the consent.

oauth.third_party.variable

The following list provides only the variable portion of the context variable.

  • headers - The response headers from the external, third-party OAuth provider.
  • response - The body of response from the external, third-party OAuth provider.
  • cached - Whether the response is cached. When cached, true. When not cached, false.

oauth.token.variable

The following list provides only the variable portion of the context variable.

  • token_type - The type of token.
  • access_token - The access token string that is issued to the client.
  • scope - The space-delimited string of scopes to allow access to.
  • expires_in - The time in seconds since the epoch that the consent remains valid.
  • consented_on - The time in seconds since the epoch when the resource owner gave consent to the client.
  • redirect_uri - The client redirect URI that is carried in the token.
  • resource_owner - The authenticated user.
  • client_id - The identifier of the client. The maximum supported string length is 512 characters.
  • refresh_token - The refresh token string that is issued to the client.
  • refresh_token_expires_in - The time in seconds since the epoch that the refresh token remains valid.
  • refresh_token_count - The number of times the refresh token was refreshed.
  • must_expire_on - The maximum consent expiry in seconds since the epoch.

oauth.verified_access_token.variable

The following list provides only the variable portion of the context variable.

  • access_token - The access token string that is issued to the client.
  • scope - The space-delimited string of scopes to allow access to.
  • client_id - The identifier of the client. The maximum supported string length is 512 characters.
  • resource_owner - The authenticated user.
  • grant_type - The grant type, which is the method to grant authorization to the client.
  • consented_on - The time in seconds since the epoch when the resource owner gave consent to the client.
  • consented_on_text - The time in string type when the resource owner gave consent to the client.
  • not_before - The time in seconds since the epoch before which the token cannot be accepted.
  • not_before_text - The time in a string type before which the token cannot be accepted.
  • not_after - The time in seconds since the epoch after which the access token cannot be accepted.
  • not_after_text - The time in a string type after which the access token cannot be accepted.
  • misc_info - The metadata that is carried with the access token.
  • one_time_use - The Boolean value that indicates whether the token is a one-time use token.