Authenticates requests from users registered in an existing identity provider.
Authentication Policy Requirement
All Authentication policies require the Authorize By Role policy to authenticate the API caller correctly. For example, you can configure this policy to add the role “admin” to the client and then configure the Authorize By Role policy to authorize users with that role.
Expression Enabled Fields in API Policies All expression enabled fields take expressions from the SnapLogic Expression Language and the API Policy Manager functions.
Parameter Name | Description | Default Value | Example |
---|---|---|---|
Label | Required. The name for the API policy. | Generic OAuth2 | GitHub OAuth 2.0 Policy |
When this policy should be applied | An expression enabled field that determines the condition to be fulfilled for the API policy to execute. For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST. | N/A | request.method == “POST” |
Login URL | Required. The OAuth2 provider’s login URL that starts the flow. | N/A | |
Required Scopes | Required. The list of OAuth2 scopes required to get information about a user. See OAuth 2.0 Scopes for details. Click + to add scopes. | N/A | N/A |
Scope | The name of the OAuth2 scope. | N/A | user token session |
Access Token URL | Required. The OAuth2 provider’s access token URL. | N/A | |
Client ID | Required. The ID of the application registered with the OAuth2 provider. | N/A | jdoe@beignet.com |
Client Secret | Required. The client secret for the application registered with the OAuth2 provider. | N/A | chocolatE |
Redirect URI | The URI of the Snaplex load-balancer appended with | N/A | https://groundplex.example.com/api/1/rest/oauth2/callback |
User Info URL #1-2 | These sections describe the HTTP GET requests this API policy should make to get information about a user. User Info URL #2 is optional. | N/A | N/A |
Target Path | The location to store the result of the request in the working object as a JSON-Path. If you leave this field blank, the URL is not called. | N/A | $user |
URL | The destination for the request. | N/A | |
Query Parameters | The query parameters (name and value) to add into the URL. | N/A | N/A |
Headers | The headers (name and value) to include in the request. | N/A | Authorization |
Response Handler | Specifies how the request's response must be handled. | N/A | match response { { statusCode: 200..<300, entity } => Result.ok(entity), { statusCode: 401|404 } => Result.ignore(), { status } => Result.err(status), _ => Result.err( 'Invalid response: ' + response.toString()) } |
Extract User Info | Required. Specifies how to extract information about the user from the working object. | N/A | N/A |
User ID Expression | Required. An expression that returns a string to be used as the user ID. | N/A | $user.email |
Roles Expression | Required. An expression that returns the list of roles this user is in. | N/A | $user.groups.map(group => group.name) |
Time-To-Live in Seconds | Required. The number of seconds for which the session is active. | 86400 | 90000 |
Status | Specifies whether the API policy is enabled or disabled. | Enabled | Disabled |
Session Management
The OAuth2.0 API Policy might require consideration for active session management from an administrative point of view. A network issue or company policy might necessitate overriding the Time-to-Live settings. For this purpose, the following APIs allow a SnapLogic Org admin the ability to list session details and delete sessions as needed:
Purpose | API Call |
---|---|
List all sessions | GET <Load_Balancer>/<JCC_Host>/api/1/rest/policy/session |
List a specific session | GET <Load_Balancer>/<JCC_Host>/api/1/rest/policy/session/<Session_Id> |
Delete a specific session | DEL <Load_Balancer>/<JCC_Host>/api/1/rest/policy/session/<Session_Id> |
Delete all sessions | DEL <Load_Balancer>/<JCC_Host>/api/1/rest/policy/session |
These APIs do not apply to the Time-To-Live settings in the Callout Authenticator API policy.