Callout Authenticator
- John Brinckwirth
- Rachana Mannath (Deactivated)
- Amritesh Singh
- Kendy Li
On this page
Overview
Use this policy to authenticate a client by calling out to a REST service that validates a token found in the request and then gets information about the user. This policy is an alternative to the other authentication policies. Multiple HTTP request methods are supported in the September 2023 release.
Policy Execution Order
The Callout Authenticator policy executes after early-stage request validation policies, like IP Restriction.
Authentication Policy Requirement
All Authentication policies require the Authorize By Role policy to authenticate the API caller correctly. For example, you can configure this policy to add the role “admin” to the client and then configure the Authorize By Role policy to authorize users with that role.
Settings
Parameter Name | Description | Default Value | Example |
|---|---|---|---|
Label | Required. The name for the API policy. | Callout Authenticator | My_Auth |
When this policy should be applied | An expression-enabled field that determines the condition to be fulfilled for the API policy to execute. For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST. | N/A | request.method == "POST" |
Extract into $token | Required. Specifies the location to find the key in the request. If one of the given locations is not found, this API policy will pass the request through to the next API policy. | N/A | N/A |
Custom Header Keys | The names of the headers that can contain the key. If more than one header is given, they will all be checked. Click + to add more custom header keys. | N/A | N/A |
Key | The name of the custom header key. | N/A | X-Token |
Custom Query String Parameters | The names of the query parameters that can contain the key. If more than one name is given, they will all be checked. Click + to add more custom query string parameters. | N/A | N/A |
Key | The name of the custom query string parameter. | N/A | token |
Authorization Header Type | If the key is in the Authorization header, this value is used as the “type” to check. | token | N/A |
Callout Request #1-4 | Required. These sections describe the HTTP GET requests this API policy should make to validate the token and get information about a user. Client Request #2 is optional.
| N/A | N/A |
HTTP Method | Select one of the following HTTP methods:
| GET | POST |
Trust all certificates |
Enabling this option bypasses the certificate validation process. The request will successfully proceed if the upstream URL provides an invalid certificate (expired or self-assigned) during the SSL handshake. | False/Not selected | N/A |
Request Body | The contents of the request that is sent to the client. Click to select a function from the dropdown menu. | N/A | {
"description" : "test message",
"required" : "true"
}
|
Target Path | The location to store the result of the request in the working object, as a JSON-Path. If you leave this field blank, the URL is not called.
| N/A | $user |
URL | The destination for the request. | N/A | https://idp.example.com/validate |
Query Parameters | The query parameters to add into the URL. Click + to add more query parameters. | N/A | ?src=encode |
Headers | The headers to include in the request. Click + to add more headers. | N/A | x-content-type |
Response Handler | Specifies how the request's response must be handled. | N/A | N/A |
Extract User Info | Required. Specifies how to extract information about the user from the working object. | N/A | N/A |
User ID Expression | An expression that returns a string to be used as the user ID. | N/A | $user.email |
Roles Expression | An expression that returns the list of roles this user is in. | N/A | $user.groups.map(group => group.name) |
Time-To-Live in Seconds | Required. The number of seconds for which the token is valid before it is re-validated. | 600 (10 minutes) | 700 |
Status | Specifies whether the API policy is enabled or disabled. | Enabled | Disabled |
Although this policy supports different HTTP request methods, the endpoint must support the method configured in the policy. For example, if you select PUT in this policy, but the endpoint does not support the PUT method, the API is not executed.
Troubleshooting
The Callout Authenticator policy logs information for debugging. You can retrieve errors from policy violations in the Snaplex JCC logs. From the logs, you can retrieve information about why a request failed and the time that lapsed between the time that the call was made and the request failed.
Consult your CSM to troubleshoot policy violation errors. You must be a System Administrator to access the Snaplex JCC logs.
Related Content
Have feedback? Email documentation@snaplogic.com | Ask a question in the SnapLogic Community
© 2017-2025 SnapLogic, Inc.