Generic OAuth2

Use this Policy to authenticate a client by delegating the authentication to an OAuth2 provider. When applied, a request that does not contain any credentials for a the other authentication policies (such as API Key), is authenticated using this policy. The client is redirected to the OAuth provider to start the authentication flow. Once the flow completes and the access token is obtained, the policy uses it to perform one or more requests to get information about the user, such as the ID and assigned role. Finally, a session cookie is returned to the client, and the client is redirected back to the requested URL. Subsequent requests authenticate based on the session cookie instead of repeating the OAuth flow. This implementation is based on the authorization code flow from Okta.

Authentication Policy Requirement

All Authentication policies require the Authorize By Role policy to authenticate the API caller correctly. For example, you can configure this policy to add the role “admin” to the client and then configure the Authorize By Role policy to authorize users with that role.

Policy Execution Order

The Generic OAuth2 policy executes after the other authentication policies, specifically those whose mechanisms are based on the client providing a token in the request, like the API Key or Callout Authenticator policies.


Expression Enabled Fields in API Policies

All expression enabled fields take expressions from the SnapLogic Expression Language and the API Policy Manager functions.

Parameter NameDescriptionDefault ValueExample
LabelRequired. The name for the API policy.Generic OAuth2GitHub OAuth 2.0 Policy
When this policy should be applied

An expression enabled field that determines the condition to be fulfilled for the API policy to execute.

For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST.

N/Arequest.method == “POST”

Login URL

Required. The OAuth2 provider’s login URL that starts the flow.

N/A

https://github.com/login/oauth/authorize

Required Scopes

Required. The list of OAuth2 scopes required to get information about a user. See OAuth 2.0 Scopes for details. Click + to add scopes.

N/AN/A
Scope

The name of the OAuth2 scope. 

N/A

user

token

session

Access Token URL

Required. The OAuth2 provider’s access token URL. The response from this token URL will be stored in $token and can be referenced in User Info URL below.

N/A

https://github.com/login/oauth/access_token

Client ID

Required. The ID of the application registered with the OAuth2 provider.

N/Ajdoe@beignet.com

Client Secret

Required. The client secret for the application registered with the OAuth2 provider.

N/AchocolatE

Redirect URI

The URI of the Snaplex load-balancer appended with /api/1/rest/oauth2/callback

N/Ahttps://groundplex.example.com/api/1/rest/oauth2/callback

User Info URL #1-2

These sections describe the HTTP GET requests this API policy should make to get information about a user.

User Info URL #2 is optional.

N/AN/A

Target Path

The location to store the result of the request in the working object as a JSON-Path.

If you leave this field blank, the URL is not called.

N/A$user
URL

The destination for the request.

N/A

https://idp.example.com/user

https://api.github.com/user

Query Parameters

The query parameters (name and value) to add into the URL.

N/AN/A
Headers

The headers (name and value) to include in the request.

N/A

Authorization

Response Handler

Specifies how the request's response must be handled. 

N/A
match response
 
{
       { statusCode: 200..<300, entity } => Result.ok(entity),
       { statusCode: 401|404 } => Result.ignore(),
       { status } => Result.err(status),
       _ => Result.err('Invalid response: ' + response.toString())
 
}

Extract User Info

Required. Specifies how to extract information about the user from the working object.

N/AN/A

User ID Expression

Required. An expression that returns a string to be used as the user ID.

N/A $user.email

Roles Expression

Required. An expression that returns the list of roles this user is in.

N/A$user.groups.map(group => group.name)
Session: Time-To-Live in Seconds

Required. The number of seconds for which the session is active. 


8640090000
OAuth State: Time-To-Live in Seconds

Required. The number of seconds for which the Oauth state is active. 

This field will not be functional until the 4.27 release in November 2021.

3001000
Status

Specifies whether the API policy is enabled or disabled. 

EnabledDisabled

Session Management

The OAuth2.0 API Policy might require consideration for active session management from an administrative point of view.  A network issue or company policy might necessitate overriding the Time-to-Live settings. For this purpose, the following APIs allow a SnapLogic Org admin the ability to list session details and delete sessions as needed:

PurposeAPI Call
List all sessionsGET <Load_Balancer>/<JCC_Host>/api/1/rest/policy/session
List a specific sessionGET <Load_Balancer>/<JCC_Host>/api/1/rest/policy/session/<Session_Id>
Delete a specific sessionDEL <Load_Balancer>/<JCC_Host>/api/1/rest/policy/session/<Session_Id>
Delete all sessionsDEL <Load_Balancer>/<JCC_Host>/api/1/rest/policy/session


These APIs do not apply to the Time-To-Live settings in the Callout Authenticator API policy.