Skip to main content
Feedback

Overview of OIDC Token Authentication Connector

Release Notes

API Management (Release Date)Release TypeRelease Description
October 29, 2020New FeatureSupport securing APIs in API Management using third party OIDC IDP based ID token.
  Ability to configure up to ten user information endpoints per service endpoint for ID validation using any third party OIDC IDP.
  Conditional pickup of user info endpoint for user info based on incoming meta data for geo-distributed API services.
  Ability to enrich API request header with user info meta data that can be returned after successful ID validation.
  Support for strict case sensitive method for GET and POST calls to third party OAuth2.0 Auth server user info endpoint. HTTP Verb must be case-sensitive and supported that way in compliance with RFC 7231 guidelines.
  

Support of configurable parameter enable_error_set to control error response code sent by API Management.

If enable_error_set is configured as "true", API Management responds with ERR_403_NOT_AUTHORIZED that is Gateway supported error message. In this case, http response status code and status text for connector is overridden by error set defined for that endpoint in API Management Control Center. In this case, message overriding is done; only if error is thrown from Mashery Connector. In case error is thrown from third party OpenID IDP, then message overriding will not be performed.

If enable_error_set is configured with value other than "true", then there is no change in Mashery Connector existing functionality that responds with ERR_401_UNAUTHORIZED for backend server response code with 401 for unauthorized calls.

enable_error_set parameter value with "true" is case-insensitive.

  

Support of UserInfo error responses on error condition as defined in the

OAuth 2.0 Bearer Token Usage Specification

Description

This feature enables securing APIs behind Cloud API Management using a third-party OIDC IDP-based ID token.

  • The Connector validates third-party OIDC ID tokens for authentication and allows calls to the backend API only after successful validation.

  • It provides the ability to configure validation endpoints to support multiple regional, yet unique, validation endpoints for a geo-distributed OAuth2.0 authorization server.

  • Supports enriching the header with values from the validation endpoint JSON response on successful validation before forwarding the request to the backend server.

  • The connector provides a configurable capability to block/forward the HTTP Authorization header to the backend API server.

  • Supports JSONPath expressions to locate values in the JSON response (UserInfo endpoint) from the Authorization server, which need to be injected into the header before forwarding to the backend server.

  • Supports both pre-processing of user or client information to influence API behavior in Cloud API Management.

On this Page