Overview of OIDC Token Authentication Connector

Release Notes

API Management (Release Date)	Release Type	Release Description
October 29, 2020	New Feature	Support securing APIs in API Management using third party OIDC IDP based ID token.
		Ability to configure up to ten user information endpoints per service endpoint for ID validation using any third party OIDC IDP.
		Conditional pickup of user info endpoint for user info based on incoming meta data for geo-distributed API services.
		Ability to enrich API request header with user info meta data that can be returned after successful ID validation.
		Support for strict case sensitive method for GET and POST calls to third party OAuth2.0 Auth server user info endpoint. HTTP Verb must be case-sensitive and supported that way in compliance with RFC 7231 guidelines.
		Support of configurable parameter enable_error_set to control error response code sent by API Management. If enable_error_set is configured as "true", API Management responds with ERR_403_NOT_AUTHORIZED that is Gateway supported error message. In this case, http response status code and status text for connector is overridden by error set defined for that endpoint in API Management Control Center. In this case, message overriding is done; only if error is thrown from Mashery Connector. In case error is thrown from third party OpenID IDP, then message overriding will not be performed. If enable_error_set is configured with value other than "true", then there is no change in Mashery Connector existing functionality that responds with ERR_401_UNAUTHORIZED for backend server response code with 401 for unauthorized calls. enable_error_set parameter value with "true" is case-insensitive.
		Support of UserInfo error responses on error condition as defined in the OAuth 2.0 Bearer Token Usage Specification

Description

This feature enables securing APIs behind Cloud API Management using a third-party OIDC IDP-based ID token.

• The connector validates third-party OAuth2.0 access token for authentication and allows calls to the backend API only after successful validation.

• It provides the ability to configure introspection endpoints to support multiple regional but unique introspection endpoints for a geo-distributed OAuth 2.0 authorization server.

• Supports the ability to enrich headers with values from the introspection endpoint’s JSON response upon successful validation before forwarding the request to the backend server.

• The connector provides a configurable capability to block or forward the HTTP Authorization header to the backend API server.

• Supports JSONPath expressions to locate values from the JSON response (UserInfo endpoint) returned by the authorization server that need to be injected into headers before forwarding the request to the backend server.

• Supports pre-processing of client requests to influence API behavior within Cloud API Management.