Skip to main content
Skip table of contents

OAuth Verify Access Token

This policy is used to secure an API resource with OAuth. When added to a resource, this policy checks incoming requests for Access Tokens in the configured location. 

Configuration

The properties that have to be configured to use the policy are described below.


Figure 1: OAuth Verify Token Policy Configuration attributes

Properties represent methods through which Access Tokens are sent.

PropertyDescription
Body

Encoded Body Parameter

The Access Token is added to the request body using the "access_token" parameter.

Header

Authorization Request Header Field

Bearer Access Token is sent using "Authorization" request header field with the "Bearer" HTTP authorization scheme.

Query

URI Query Parameter 

The Access Token is added to the request URI query component using the "access_token" parameter.

Scope

Scopes assigned to the API project.

Example

READ,WRITE,DELETE,GET,POST

When it succeeds:
1. If one of the scopes embedded in the access token matches the scopes configured in Verify Access Token Policy.
2. If no scope is embedded in the access token and no scope is configured in Verify Access Token policy
3. If the scope in the Verify Access Token policy is empty and one of the scopes embedded in the access token matches the scopes embedded in the API product

When it fails:
1. If no scope embedded in the access token matches with any scope configured in the Verify Access Token Policy

  • If more than one scope is specified (as in the above example), then the policy will succeed if the access token includes any one of those scopes (like a logical 'OR' evaluation).
  • In order to enforce an 'AND' type of operation where multiple scopes on a token are enforced, create multiple Veryify Access Token policies with a single distinct scope for each.

 

 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.