OAuth 2.0 Credentials

Overview

You can use this policy to authenticate users with a token in your OAuth 2.0 environment.

This implementation is based on the Client Credential flow from Okta.

Authentication Policy Requirement

All Authentication policies require the Authorize By Role policy to authenticate the API caller correctly. For example, you can configure this policy to add the role “admin” to the client and then configure the Authorize By Role policy to authorize users with that role.

Policy Execution Order

The OAuth 2.0 Client Credential policy executes after early stage request validation policies, like IP Restriction.


Expression Enabled Fields in API Policies

All expression enabled fields take expressions from the SnapLogic Expression Language and the API Policy Manager functions.

Parameter NameDescriptionDefault ValueExample
LabelRequired. The name for the API policy.OAuth2 Client CredentialGitHub OAuth 2.0 Policy
When this policy should be applied

An expression enabled field that determines the condition to be fulfilled for the API policy to execute.

For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST.

N/Arequest.method == “POST”
Introspection Endpoint

Required. The mechanism for client servers to obtain information about the access token. The response from this token introspection endpoint will be stored in $response and can be referenced in User ID Expression and Roles Expression.

N/Ahttps://auth.pingone.com/2f6b6ab3-1fa7-4a7d-ba4d-00dbebd6d056/as/introspect

Client ID

Required. The ID of the application registered with the OAuth2 provider.

N/Ajdoe@beignet.com

Client Secret

Required. The client secret for the application registered with the OAuth2 provider.

N/AchocolatE
Extract into $tokenRequired. Specifies the location to find the key in the request. If one of the given locations is not found, this API policy will pass the request through to the next API policy.N/AN/A
Custom Header KeysThe names of the headers that can contain the key. If more than one header is given, they will all be checked. Click + to add more custom header keys.N/AX-API-Key
Custom Query String ParameterThe names of the query parameters that can contain the key. If more than one name is given, they will all be checked. Click + to add more custom query string parameters.N/Aaccess_token
Authorization TypeIf the key is in the Authorization header, this value is used as the “type” to check.TokenKey
Extract User InfoRequired.  Specifies how to extract information about the user from the working object.N/AN/A

User ID Expression

Required. An expression that returns a string to be used as the user ID.

N/A $response.email

Roles Expression

Required. An expression that returns the list of roles this user is in.

N/A$response.groups.map(group => group.name)
Time-To-Live in Seconds

Required. The number of seconds the token is valid for before it is re-validated.

600 (10 minutes)700
Status

Specifies whether the API policy is enabled or disabled. 

EnabledDisabled



See Also