Skip to main content
Feedback

OIDC Token Authentication Connector Configuration Values

Configuration Values

The following configuration values can be defined while configuring OIDC Token Authentication Connector on the Call Transformation page:

Field nameTypeField ValueRequired/OptionalDescription
Processing AdapterStringcom.mashery.proxy.customer.generic.oidc-token-connectorRequiredAdapter used to validate OpenID Connect tokens and fetch user information from the UserInfo endpoint.
Perform Pre-processingBooleanEnabledOptionalWhen enabled for pre-processing, validates the pre-processing logic before forwarding the request to the backend.
Data to make available for pre-processingMapOptionalSpecifies the input data made available for pre-processing.
Mapuserinfo_endpoint: { regionCodeHeader: <Header parameter name that holds region code> regionCodeValue: {"<region1 code>":"<user info endpoint URI for region1>", "<region2 code>":"<user info endpoint URI for region2>", "<region3 code>":"<user info endpoint URI for region3>"} defaultURI: < default user info endpoint URI> }Required

The URI for the UserInfo endpoint can be selected conditionally based on metadata present in the API request header.

- regionCodeHeader and regionCodeValue are optional parameters.

- defaultURI is required and must always be configured for the UserInfo endpoint.

Note:

- If the defaultURI parameter is not configured or is missing, the request is blocked, with 401 Unauthorized response.

-regionCodeHeader and regionCodeValue must be configured together to enable conditional selection of the UserInfo endpoint.

Mapinject_headers: {"<HEADER1_NAME>":"<JSONPathExpression>","<HEADER2_NAME>":"<JSONPathExpression>",..} inject_headers:{ "<HEADER1_NAME>":"<JSONPathExpression>","<HEADER2_NAME>":"<JSONPathExpression>" }, ... }Optional

Key:value pairs used to inject headers from the JSON response returned by the UserInfo endpoint after successful validation. Values are matched using JSONPath expressions.

Headers are injected only when the configured value exists in the response. Header values must support UTF-8 encoding to handle international characters, for example, "name": "Claes Rosenlöf".

Booleanblock_authorization_header:<true/false>OptionalDefault is true.

Note: This setting applies only to an access token that needs to be blocked or forwarded to the resource server.

Stringerror_metadata_location : <Error response meta data location>OptionalSpecifies the location of the error response to be returned in case of an error. Possible values are ResponsePayload and ResponseHeaders.
Stringerror_header_name : <Response header name>OptionalName of the response header that contains the error message.
Stringerror_payload_location:<JSONPath Expression>OptionalJSONPath expression to retrieve error information from the OpenID error response payload. The value retrieved is set as the HTTP response body.
Stringhttp_proxy_server : <string>OptionalProxy server used to retrieve the userinfo_endpoint. Only one third-party proxy server per endpoint is supported.
Integerhttp_proxy_port : <integer>OptionalThe proxy server port to retrieve the userinfo_endpoint.
Booleanenable_error_set:<true/false>Optional

Default is false. This parameter is case-insensitive when set to true.

When set to true, it returns the Gateway-supported error ERR_403_NOT_AUTHORIZED for errors thrown by the connector. In this case, it overrides the connector’s default HTTP status code and response text for that endpoint in Control Center. Message overriding occurs only if an error is thrown from the connector; it does not occur for errors thrown by a third-party OpenID IDP.

When set to any value other than true, there is no change to this connector's existing functionality. It returns ERR_401_UNAUTHORIZED and a 401 response code for unauthorized backend server calls.

Examples

Data to make available for pre-processing

The following are example values for Data to make available for pre-processing field.

Configuration parameters for UserInfo endpoint
userinfo_endpoint: {

regionCodeHeader:HTTP-REQUEST-REGION-KEY

regionCodeValue: {"FR":"https://uki.acme-travel.com:9001/fr/userinfo",

"US":"https://uki.acme-travel.com:9001/en/userinfo",

"DE":"https://uki.acme-travel.com:9001/de/userinfo"}

defaultURI: https://uki.acme-travel.com/en/userinfo

}
Configuration parameters for Header injection
inject_headers:{

"US": {
"X-User-Email": "$.uid",
"X-Unit-Id": "$.b2bUnitId",
"X-Account-Number": "$.erpAccountNumber"
},
"default": {
"X-User-Id": "$.email",
"X-Unit-Id": "$.b2bUnitId",
"X-Account-Number": "$.erpAccountNumber"
}
}
Configuration parameters for Error handling
block_authorization_header : false
error_metadata_location : ResponseHeaders
error_header_name : WWW-Authenticate
error_payload_location: $.errorMessage
Configuration parameters for Proxy settings
http_proxy_server : squid.example.com
http_proxy_port : 3128
enable_error_set : true

Sample Example: Geo Distributed Authorization Endpoint Explanation

  • The following pre-input configuration states the name of the header to fetch from the incoming API request, which holds the region code:

    Syntax
    regionCodeHeader:<HTTP header name that holds the region code for user info endpoint>
    Example
    regionCodeHeader:HTTP-REQUEST-REGION-KEY

  • The following pre-input configuration holds the details of the region code and the UserInfo endpoint URI association. The region code header value is matched with the configured value specified for regionCodeValue pre-input.

    Syntax
    regionCodeValue: {<Code1>:<user info Endpoint1>, <Code2>:<user info Endpoint2> ......}
    Example
    regionCodeValue:{
    "FR":"https://uki.acme-travel.com:9001/fr/userinfo",
    "US":"https://uki.acme-travel.com:9001/en/userinfo",
    "DE":"https://uki.acme-travel.com:9001/de/userinfo"
    }

    If the incoming header in the request HTTP-REQUEST-REGION-KEY has the value 'FR', the configuration maps to the introspection endpoint URI 'https://uki.acme-travel.com:9001/fr/userinfo'.

  • The following pre-input configuration specifies the default URI of the UserInfo endpoint if regionCodeHeader is missing or has an empty value in the request.

    Syntax
    defaultURI:<Contains the default UserInfo endpoint>
    Example
    defaultURI:https://uki.acme-travel.com/en/userinfo

Sample Example

  • API Request to public endpoint configured in Cloud API Management (Control Center): https://api.acme.com/aladdapi

  • API Inbound Region Code Header: HTTP-REQUEST-REGION-KEY:FR

  • Data to make available for pre-processing (Normal flow)

    regionCodeHeader: HTTP-REQUEST-REGION-KEY 

    regionCodeValue: {"FR":"https://uki.acme-travel.com:9001/fr/userinfo", 

    "US": "https://uki.acme-travel.com:9001/en/userinfo", 

    "DE": "https://uki.acme-travel.com:9001/de/userinfo"} 

    defaultURI: https://uki.acme-travel.com/en/userinfo

Sample curl call without region code header

curl -i -v -H 'Host:localapi.localproxy.mashery.com' 'http://localhost:8080/aladdapi?api_key=key'

In this case API request is sent to the UserInfo endpoint "https://uki.acme-travel.com/en/userinfo" for OIDC token validation.

Sample curl call with region code header

curl -i -v -H 'Host:localapi.localproxy.mashery.com' 'http://localhost:8080/aladdapi?api_key=key' -H 'HTTP-REQUEST-REGION-KEY:FR'

In this case API request is sent to the UserInfo endpoint "https://uki.acme-travel.com:9001/fr/userinfo" for OIDC token validation.

Configuration Steps

Refer to the Configuring Call Transformation for an Endpoint for more information on the configuration steps.

On this Page