OAuth 2.0 Client Credentials
Overview
You can use this policy to authenticate users with a token in your OAuth 2.0 environment. This implementation is based on the Client Credential flow from Okta.
Authentication Policy Requirement
All Authentication policies require the Authorize By Role policy to authenticate the API caller correctly. For example, you can configure this policy to add the role “admin” to the client and then configure the Authorize By Role policy to authorize users with that role.
Verified Providers
SnapLogic verified the following Authentication providers for this policy:
This policy might work with other authentication providers not listed above but has not been tested and verified.
Known Issue
We do not support Azure AD for the https://docs-snaplogic.atlassian.net/wiki/spaces/SD/pages/2294120449 policy because Azure AD does not provide an introspection endpoint.
Workaround: Use the JWT credentials in the Generic OAuth2 policy to authenticate with Azure AD.
Prerequisites
The Oauth2 authentication server must be configured to accept the client ID/secret from the basic auth header during introspection.
Policy Execution Order
The OAuth 2.0 Client Credential policy executes after early-stage request validation policies, like IP Restriction.
Settings
All expression enabled fields take expressions from the SnapLogic Expression Language and the API Policy Manager functions.
Parameter Name | Description | Default Value | Example |
|---|---|---|---|
Label | Required. The name for the API policy. | OAuth2 Client Credential | GitHub OAuth 2.0 Policy |
When this policy should be applied | An expression enabled field that determines the condition to be fulfilled for the API policy to execute. For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST. | N/A | request.method == “POST” |
Introspection Endpoint | Required. The mechanism for client servers to obtain information about the access token. The response from this token introspection endpoint will be stored in $response and can be referenced in User ID Expression and Roles Expression. | N/A | https://auth.pingone.com/2f6b6ab3-1fa7-4a7d-ba4d-00dbebd6d056/as/introspect |
Client ID | Required. The ID of the application registered with the OAuth2 provider. | N/A | jdoe@beignet.com |
Client Secret | Required. The client secret for the application registered with the OAuth2 provider. | N/A | chocolatE |
Extract into $token | Required. Specifies the location to find the key in the request. If one of the given locations is not found, this API policy will pass the request through to the next API policy. | N/A | N/A |
Custom Header Keys | The names of the headers that can contain the key. If more than one header is given, they will all be checked. Click + to add more custom header keys. | N/A | X-API-Key |
Custom Query String Parameter | The names of the query parameters that can contain the key. If more than one name is given, they will all be checked. Click + to add more custom query string parameters. | N/A | access_token |
Authorization Type | If the key is in the Authorization header, this value is used as the “type” to check. | Token | Key |
Extract User Info | Required. Specifies how to extract information about the user from the working object. | N/A | N/A |
User ID Expression | Required. An expression that returns a string to be used as the user ID. | N/A | $response.email |
Roles Expression | Required. An expression that returns the list of roles this user is in. | N/A | $response.groups.map(group => group.name) |
Time-To-Live in Seconds | Required. The number of seconds the token is valid for before it is re-validated. | 600 (10 minutes) | 700 |
Status | Specifies whether the API policy is enabled or disabled. | Enabled | Disabled |
Example to Configure the OAuth 2.0 Client Credentials API Policy with Ping Identity
Prerequisites
Apply Authorization by Role Policy
Verified Authentication Providers for this Policy, such as Okta or Ping Identity.
Example Workflow with Ping Identity Authentication Provider
You can use Ping Identity for the authentication process:
Set up the application in Ping identify to obtain the Client Credentials and Token Introspection Endpoint for use in the Policy.
Use the obtained Client Credentials and Token Introspection Endpoint in the Policy setup:
Parameter Name | Field Type | Example | |
|---|---|---|---|
Label* | String | SnapLogic OAuth2 Policy | |
When this policy should be applied | String/Expression | request.method == “POST” | |
Introspection Endpoint* | String/Expression | https://auth.pingone.asia/92888efd-6423-4f73-9523-ae8fa6c99cee/as/introspect | |
Client ID* | String/Expression | 0a781dd3-744c-4795-924d-b72b71c93a5f | |
Client Secret* | String/Expression | OwPmby3VbPpMJjKG5vXG4QciClg2xZw6oXnrXvDufRBIgbOHK5-PXvlLg0ml.DDG | |
Extract into $token* | N/A | ||
| Customer Header Key | String/Expression | X-API-Key |
| Custom Query String Parameter | String/Expression | query |
| Authorization Header Type | String | token |
Extract User Info* | N/A | ||
| User ID Expression* | String/Expression | User |
| Roles Expression* | String/Expression | staff |
Time-To-Live in Seconds* | String/Expression | 600 (10 minutes) | |
Status | Dropdown List | Enabled | |
See Also
Have feedback? Email documentation@snaplogic.com | Ask a question in the SnapLogic Community
© 2017-2024 SnapLogic, Inc.