Skip to main content
Feedback

OAuth2.0 Token Authentication Connector Configuration Values

Configuration Values

The following configuration values can be defined while configuring the OAuth2.0 Token Authentication Connector on the Call Transformation page:

Field nameTypeField ValueRequired/OptionalDescription
Processing AdapterStringcom.mashery.proxy.customer.generic.oauth-token-validation-connectorRequiredAdapter used to validate third party OAuth2.0 access tokens using configurable introspection endpoints and enrich request headers before forwarding requests to the backend API.
Perform Pre-processingBooleanEnabledRequiredWhen enabled for pre-processing, validates the pre-processing logic before forwarding the request to the backend.
Data to make available for pre-processingMapRequiredSpecifies the input data made available for pre-processing.
Maptoken_validation_uri:{regionCodeHeader:<Header parameter name that holds region code>,regionCodeValue:{"<region1 code>":"<token validation endpoint URI for region1>","<region2 code>":"<token validation endpoint URI for region2>","<region3 code>":"<token validation endpoint URI for region3>"},defaultURI:<default token validation endpoint URI>}Required

The URI for token validation endpoint can be selected conditionally based on metadata present in API header.

- regionCodeHeader and regionCodevalue are optional parameters.

- defaultURI is required and must always be configured for token validation.

Note:

- If the defaultURI parameter not configured or is missing, the request is blocked, with 401 Unauthorized response.

- regionCodeHeader and regionCodevalue must be configured together to enable conditional selection of the access token validation endpoint.

Mapinject_headers:{"<HEADER1_NAME>":"<JSONPathExpression>","<HEADER2_NAME>":"<JSONPathExpression>",..} inject_headers:{"<HEADER1_NAME>":"<JSONPathExpression>","<HEADER2_NAME>":"<JSONPathExpression>"},...Optional

Key:value pairs used to inject headers from the JSON/XML response returned by introspection endpoint after successful token validation. Values are matched using JSONPath/XPath expressions.

Headers are injected only when the configured value exists in the response.

Header values must support UTF-8 encoding to handle international characters, for example, "name": "Claes Rosenlöf"

In case JSONPath/XPath results in object instead of String, object is converted into string and are added in the header.

Booleanblock_authorization_header:<true/false>OptionalDefault is true.

Note: This setting applies only to an access token that needs to be blocked or forwarded to the resource server.

Stringhttp_proxy_server : <string>OptionalProxy server used to retrieve the token_validation_uri. Only one third-party proxy server per endpoint is supported.
Integerhttp_proxy_port : <integer>OptionalThe proxy server port to retrieve the token_validation_uri.

Examples

Data to make available for pre-processing

The following is an example value for the Data to make available for pre-processing field.

Configuration parameters for token validation URL
token_validation_uri: {

regionCodeHeader:HTTP-REQUEST-REGION-KEY

regionCodeValue: {"FR":"https://uki.acme-travel.com:9001/fr/userinfo",

"US":"https://uki.acme-travel.com:9001/en/userinfo",

"DE":"https://uki.acme-travel.com:9001/de/userinfo"}

defaultURI: https://uki.acme-travel.com/en/userinfo

}
Configuration parameters for Header injection for JSONPath
inject_headers:{

"US": {
 "X-User-Email": "$.uid",
 "X-Unit-Id": "$.b2bUnitId",
 "X-Account-Number": "$.erpAccountNumber"
 },
 "default": {
 "X-User-Id": "$.email",
 "X-Unit-Id": "$.b2bUnitId",
 "X-Account-Number": "$.erpAccountNumber"
 }
}
Configuration parameters for Header injection for XPath
inject_headers:{

"FR": {
 "X-User-Email": "//uid",
 "X-Unit-Id": "//b2bUnitId",
 "X-Account-Number": "//erpAccountNumber"
 },
 "default": {
 "X-User-Id": "//email",
 "X-Unit-Id": "//b2bUnitId",
 "X-Account-Number": "//erpAccountNumber"
 }
}

Sample Example: Geo Distributed Authorization Endpoint Explanation

  • The following pre-input configuration states the name of the header to fetch from the incoming API request, which holds the region code:

    Syntax
    regionCodeHeader:<HTTP header name that holds the region code for introspection endpoint>
    Example
    regionCodeHeader:HTTP-REQUEST-REGION-KEY

  • The following pre-input configuration holds the details of region code and introspection endpoint URI association. The region code header value is matched with the configured value specified for regionCodeValue pre-input.

    Syntax
    regionCodeValue:{<Code1>:<Introspection Endpoint1>, <Code2>:<Introspection Endpoint2> ......}
    Example
    regionCodeValue: {"FR":"https://uki.acme-travel.com:9001/fr/userinfo",
    "US":"https://uki.acme-travel.com:9001/en/userinfo",
    "DE":"https://uki.acme-travel.com:9001/de/userinfo"}

    If the incoming header in the request HTTP-REQUEST-REGION-KEY has the value 'FR', the configuration maps to the introspection endpoint URI 'https://uki.acme-travel.com:9001/fr/userinfo'.

  • The following pre-input configuration specifies the default URI of introspection endpoint in case regionCodeHeader is missing or has an empty value in the request.

    Syntax
    defaultURI:<Contains the default introspection endpoint>
    Example
    defaultURI:https://uki.acme-travel.com/en/userinfo

Sample Example

  • API Request to public endpoint configured in Cloud API Management: https://api.acme.com/aladdapi

  • API Inbound Region Code Header: HTTP-REQUEST-REGION-KEY:FR

  • Data to make available for pre-processing (Normal flow):

    regionCodeHeader:HTTP-REQUEST-REGION-KEY

    regionCodeValue: {"FR":"https://uki.acme-travel.com:9001/fr/userinfo",

    "US":"https://uki.acme-travel.com:9001/en/userinfo",

    "DE":"https://uki.acme-travel.com:9001/de/userinfo"}

    defaultURI: https://uki.acme-travel.com/en/userinfo

Sample curl call without region code header

curl -i -v -H 'Host:localapi.localproxy.mashery.com' 'http://localhost:8080/aladdapi?api_key=key'

In this case, API request is sent to the introspection endpoint "https://uki.acme-travel.com/en/userinfo" for OAuth2.0 access token validation.

Sample curl call with region code header

curl -i -v -H 'Host:localapi.localproxy.mashery.com' 'http://localhost:8080/aladdapi?api_key=key' -H 'HTTP-REQUEST-REGION-KEY:FR'

In this case, API request is sent to the introspection endpoint "https://uki.acme-travel.com:9001/fr/userinfo" for OAuth2.0 access token validation.

Configuration Steps

Refer to the Configuring Call Transformation for an Endpoint for more information on the configuration steps.

On this Page