| Table of Contents | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
Parameter Name | Description | Default Value | Example |
|---|---|---|---|
Label | Required. The name for the API policy. | OAuth2 Client Credential | GitHub OAuth 2.0 Policy |
When this policy should be applied | An expression enabled field that determines the condition to be fulfilled for the API policy to execute. For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST. | N/A | request.method == “POST” |
Introspection Endpoint | Required. The mechanism for client servers to obtain information about the access token. The response from this token introspection endpoint will be stored in $response and can be referenced in User ID Expression and Roles Expression. | N/A | https://auth.pingone.com/2f6b6ab3-1fa7-4a7d-ba4d-00dbebd6d056/as/introspect |
Client ID | Required. The ID of the application registered with the OAuth2 provider. | N/A | jdoe@beignet.com |
Client Secret | Required. The client secret for the application registered with the OAuth2 provider. You can also reference a secret from a 3rd-party Secrets Manager vendor by entering an expression. | N/A | chocolatE |
Extract into $token | Required. Specifies the location to find the key in the request. If one of the given locations is not found, this API policy will pass the request through to the next API policy. | N/A | N/A |
Custom Header Keys | The names of the headers that can contain the key. If more than one header is given, they will all be checked. Click + to add more custom header keys. | N/A | X-API-Key |
Custom Query String Parameter | The names of the query parameters that can contain the key. If more than one name is given, they will all be checked. Click + to add more custom query string parameters. | N/A | access_token |
Authorization Type | If the key is in the Authorization header, this value is used as the “type” to check. | Token | Key |
Extract User Info | Required. Specifies how to extract information about the user from the working object. | N/A | N/A |
User ID Expression | Required. An expression that returns a string to be used as the user ID. | N/A | $response.email |
Roles Expression | Required. An expression that returns the list of roles this user is in. | N/A | $response.groups.map(group => group.name) |
Time-To-Live in Seconds | Required. The number of seconds the token is valid for before it is re-validated. | 600 (10 minutes) | 700 |
Status | Specifies whether the API policy is enabled or disabled. | Enabled | Disabled |
...
Parameter Name | Field Type | Example | |
|---|---|---|---|
Label* | String | SnapLogic OAuth2 Policy | |
When this policy should be applied | String/Expression | request.method == “POST” | |
Introspection Endpoint* | String/Expression | https://auth.pingone.asia/92888efd-6423-4f73-9523-ae8fa6c99cee/as/introspect | |
Client ID* | String/Expression | 0a781dd3-744c-4795-924d-b72b71c93a5f | |
Client Secret* | String/Expression | OwPmby3VbPpMJjKG5vXG4QciClg2xZw6oXnrXvDufRBIgbOHK5-PXvlLg0ml.DDG | |
Extract into $token* | N/A | ||
Customer Header Key | String/Expression | X-API-Key | |
Custom Query String Parameter | String/Expression | query | |
Authorization Header Type | String | token | |
Extract User Info* | N/A | ||
User ID Expression* | String/Expression | User | |
Roles Expression* | String/Expression | staff | |
Time-To-Live in Seconds* | String/Expression | 600 (10 minutes) | |
Status | Dropdown List | Enabled | |
...
Example to Configure the OAuth 2.0 Client Credentials API Policy with Okta Developer
Prerequisites
Apply Authorization by Role Policy
Verified Authentication Providers for this Policy, such as Okta verified.
Example Workflow with Ping Identity Authentication Provider
| Info |
|---|
The OAuth 2.0 Client Credentials Policy is typically used in a machine to machine authenticate scenarios where a human/user is not involved. |
You can use Okata Devloper for the authentication process:
Set up the application in Okata Devloper to obtain the Client Credentials and Introspection Endpoint:
Click on Security > API in the navigation pane to obtain Token Introspection Endpoint.
Click on the name of the application under Authorization Server:
Click on the Metadata URI:
Copy the Introspection Endpoint:
Use the obtained Client Credentials and Token Introspection Endpoint in the Policy setup:
Field names with an '*' (Asterisk symbol) are mandatory.
Parameter Name | Field Type | Example | |
|---|---|---|---|
Parameter Name | Field Type | Example | |
|---|---|---|---|
Label* | String | SnapLogic OAuth2 Policy | |
When this policy should be applied | String/Expression | request.method == “POST” | |
Introspection Endpoint* | String/Expression |
| |
Client ID* | String/Expression | 0oakeaf20qp2LLnSg5d7 | |
Client Secret* | String/Expression | xwj3dlqhtVLr42qb_45xLBlOtuR6OMY-nexh_12QwckvXs2p2nG6EfgGfTAa9FK8 | |
Extract into $token* | N/A | ||
| Customer Header Key | String/Expression | X-API-Key |
| Custom Query String Parameter | String/Expression | query |
| Authorization Header Type | String | token |
Extract User Info* | N/A | ||
| User ID Expression* | String/Expression | User |
| Roles Expression* | String/Expression | staff |
Time-To-Live in Seconds* | String/Expression | 600 (10 minutes) | |
Status | Dropdown List | Enabled | |
See Also