description |
---|
This page provides the technical details of the Generic OAuth2 Authorization Server |
The Generic OAuth2 Authorization Server resource is defined to introspect an access_token
generated by a generic OAuth2 authorization server.
This resource integrates with common authorization servers by providing a comprehensive configuration with which to apply token introspection.
The following is the compatibility matrix for APIM and the Generic OAuth2 Authorization Server resource:
Plugin version | APIM version |
---|---|
2.x+ | 3.18.x+ |
1.16.x+ | 3.10.x to 3.17.x |
Up to 1.15.x | Up to 3.9.x |
This resource can be configured with the following options:
Property | Required | Description | Type | Default |
---|---|---|---|---|
introspectionEndpoint | X | The URL which is used by the resource to introspect an incoming access token. | string | - |
useSystemProxy | X | TUse system proxy. | boolean | false |
introspectionEndpointMethod | X | HTTP method used to introspect the access token. | HTTP Method | GET |
clientId | X | The client identifier. | string | - |
clientSecret | X | The client secret. | string | - |
useClientAuthorizationHeader | - | To prevent token scanning attacks, the endpoint MUST also require some form of authorization to access this endpoint. In this case we are using an HTTP header for client authentication. | boolean | true |
clientAuthorizationHeaderName | - | Authorization header. | string | Authorization |
clientAuthorizationHeaderScheme | - | Authorization scheme. | string | Basic |
tokenIsSuppliedByQueryParam | - | Access token is passed to the introspection endpoint using a query parameter. | boolean | true |
tokenQueryParamName | - | Query parameter used to supply access token. | string | token |
tokenIsSuppliedByHttpHeader | - | Access token is passed to the introspection endpoint using an HTTP header. | boolean | false |
tokenHeaderName | - | HTTP header used to supply access token. | string | - |
{
"configuration": {
"introspectionEndpoint": "https://my_authorization_server/oauth/check_token",
"introspectionEndpointMethod": "POST",
"clientAuthorizationHeaderName": "Authorization",
"clientAuthorizationHeaderScheme": "Basic",
"clientId": "my-client",
"clientSecret": "f2ddb55e-30b5-4a45-9db5-5e30b52a4574",
"tokenIsSuppliedByHttpHeader": false,
"tokenIsSuppliedByQueryParam": true,
"tokenQueryParamName": "token",
"useClientAuthorizationHeader": true
}
}