Skip to main content
Feedback

Configuring Endpoint Call Processing

API Policy Connector Claims Verification policy (introduced in v6.1.0)

important

This section was added in the Boomi Cloud API Management – Local Edition (LE) 6.1.0 release.

Procedure

The API Policy Connector Claims Verification policy (used in API Policy Connector or OAuth2JWT Authentication Connector) now supports multiple policy types for nonstandard_claims:

  • matchall : Match all nonstandard_claims in the token with configured claims.

  • matchexact: All nonstandard_claims in the token and configured claims must be exactly the same without extra elements on either side.

  • matchnone: None of the claims in the token should match configured claims.

  • matchany: Any nonstandard_claims in the token should match the configured claims.

The naming convention for matching policy types is claim name followed by MatchPolicy as a suffix, and it is case-sensitive.

For example, GroupsMatchPolicy or WhitelistedMatchPolicy

Procedure

  1. Sign in to the Boomi Cloud API Management (Control Center) dashboard.

  2. Click API Definitions on the Get Started page or navigate to Design > APIs.

  3. On the Manage your APIs with API Definitions page, in the Name column, select the API Definition link from the list. This opens the Endpoint Settings: <your endpoint name> page.

  4. On the Endpoint: <your endpoint name> page, in the Name column, select an endpoint link or settings icon next to the row you want to configure endpoint settings.

  5. Navigate to Call Transformations. On the Call Transformations page, specify the following information in these fields:

    • Processing Adapter: com.mashery.proxy.customer.generic.JWTAuthProcessor

    • Perform Pre-processing: Enabled

    • Data to make available for pre-processing: Enter the following data one per line:

      important

      • There should be no space between two nonstandard_claims and two inject_headers. The following is an example with space, which will not work:

        For example, nonstandard_claims: {"Groups":"Group1, Group2" , "Whitelisted":"abc.com, xyz.com"} and inject_headers: {"Audience":"aud" , "Issuer":"iss"}

      • Special character ":" is not allowed in header name.

      • Proxy port can be specified either in http_proxy_server as "http_proxy_server : squid.example.com:3128" or as different parameter like "http_proxy_port : 3128". In case the proxy port is specified on both locations, then preference is given to the value of "http_proxy_port".

      DataExampleNotes
      public_key_request_path:<path location>public_key_request_path: http://content.mock.mashery.com/stest/test/AJ792_MAIF_CLIENTPUBKEY.json

      This is a required field.

      Request path for JWKS (JSON web key set) location.

      public_key_ttl: <minutes>public_key_ttl: 5

      This is a required field.

      Enter value in minutes.

      token_expiry_override: <minutes>token_expiry_override: 5

      This is an optional field.

      Enter value in minutes.

      iss: <string>iss: https://issuer1.com, https://issuer2.com

      This is an optional field.

      String values.

      aud: <string>aud: Google, Facebook, Yahoo

      This is an optional field.

      String values.

      nonstandard_claims: {"<HEADER1_NAME>":"<CLAIM1_NAME>","<HEADER2_NAME>":"<CLAIM2_NAME>",..}nonstandard_claims: {"Groups":"Group1, Group2", "Whitelisted":"abc.com, xyz.com"}

      This is an optional field.

      Key:value pair.

      inject_headers: {"<HEADER1_NAME>":"<CLAIM1_NAME>","<HEADER2_NAME>":"<CLAIM2_NAME>",..}inject_headers: {"Audience":"aud","Issuer":"iss"}

      This is an optional field.

      Key:value pair.

      block_authorization_header:<true/false>block_authorization_header: true

      This is an optional field.

      Boolean values - true or false.

      Default value: false.

      http_proxy_server : <string>http_proxy_server: squid.example.com

      This is an optional field.

      String values.

      Proxy Server to retrieve JWKS.

      http_proxy_port : <integer>http_proxy_port: 3128

      This is an optional field.

      Integer value.

      Proxy Server Port to retrieve JWKS.

      customizeErrorEnable: <true/false>customizeErrorEnable: true

      Support of configurable parameter customizeErrorEnable to control error response code sent by API Management.

      JWT Authentication Connector returns ERR_403_NOT_AUTHORIZED in case of error. If customizeErrorEnable is configured as "true", HTTP response status code and status text for connector is overridden by error set defined for that endpoint in API Management Control Center. If customizeErrorEnable is configured with value other than "true", then there is no change in Cloud API Management Connector existing functionality that responds with ERR_403_NOT_AUTHORIZED for backend server response code with 403 for unauthorized calls.

  6. Click Save.

On this Page