Generic OAuth2 Authorization Server resource is defined to introspect an access_token generated by a generic OAuth2 authorization server.
This resource should be able to handle common authorization server from the market by providing a complete configuration about the way to apply token introspection.
| Plugin version | APIM version |
|---|---|
2.x and upper |
3.18.x to latest |
1.16.x and upper |
3.10.x to 3.17.x |
Up to 1.15.x |
Up to 3.9.x |
You can configure the resource with the following options :
| Property | Required | Description | Type | Default |
|---|---|---|---|---|
introspectionEndpoint |
X |
The URL which is used by the resource to introspect an incoming access token. |
string |
- |
useSystemProxy |
X |
Use system proxy. |
boolean |
false |
introspectionEndpointMethod |
X |
HTTP method used to introspect the access token. |
HTTP Method |
GET |
clientId |
- |
The client identifier. |
string |
- |
clientSecret |
- |
The client secret. |
string |
- |
useClientToken |
- |
Use client access token instead of client secret and client id. |
boolean |
false |
clientToken |
- |
The client access token used for token introspection. |
string |
- |
useClientAuthorizationHeader |
- |
To prevent token scanning attacks, the endpoint MUST also require some form of authorization to access this endpoint. In this case we are using an HTTP header for client authentication. |
boolean |
true |
clientAuthorizationHeaderName |
- |
Authorization header. |
string |
Authorization |
clientAuthorizationHeaderScheme |
- |
Authorization scheme. |
string |
Basic |
tokenIsSuppliedByQueryParam |
- |
Access token is passed to the introspection endpoint using a query parameter. |
boolean |
true |
tokenQueryParamName |
- |
Query parameter used to supply access token. |
string |
token |
tokenIsSuppliedByHttpHeader |
- |
Access token is passed to the introspection endpoint using an HTTP header. |
boolean |
false |
tokenHeaderName |
- |
HTTP header used to supply access token. |
string |
- |
{
"configuration": {
"introspectionEndpoint": "https://my_authorization_server/oauth/check_token",
"introspectionEndpointMethod": "POST",
"clientAuthorizationHeaderName": "Authorization",
"clientAuthorizationHeaderScheme": "Basic",
"clientId": "my-client",
"clientSecret": "f2ddb55e-30b5-4a45-9db5-5e30b52a4574",
"useClientToken": false,
"clientToken": "",
"tokenIsSuppliedByHttpHeader": false,
"tokenIsSuppliedByQueryParam": true,
"tokenQueryParamName": "token",
"useClientAuthorizationHeader": true
}
}{
"configuration": {
"introspectionEndpoint": "https://my_authorization_server/oauth/check_token",
"introspectionEndpointMethod": "POST",
"clientAuthorizationHeaderName": "Authorization",
"clientAuthorizationHeaderScheme": "Bearer",
"clientId": "",
"clientSecret": "",
"useClientToken": true,
"clientToken": "your-bearer-token",
"tokenIsSuppliedByHttpHeader": false,
"tokenIsSuppliedByQueryParam": true,
"tokenQueryParamName": "token",
"useClientAuthorizationHeader": true
}
}