OAuth Verify Access Token

This policy is used to secure an API resource with OAuth. When added to a resource, this policy checks incoming requests for Access Tokens in the configured location.

Configuration

The properties that have to be configured to use the policy are described below.

Properties represent methods through which Access Tokens are sent.

Property	Description
Body	Encoded Body Parameter The Access Token is added to the request body using the "access_token" parameter.
Header	Authorization Request Header Field Bearer Access Token is sent using "Authorization" request header field with the "Bearer" HTTP authorization scheme.
Query	URI Query Parameter The Access Token is added to the request URI query component using the "access_token" parameter.
Scope	Scopes assigned to the API project. Example READ,WRITE,DELETE,GET,POST When it succeeds: 1. If one of the scopes embedded in the access token matches the scopes configured in Verify Access Token Policy. 2. If no scope is embedded in the access token and no scope is configured in Verify Access Token policy 3. If the scope in the Verify Access Token policy is empty and one of the scopes embedded in the access token matches the scopes embedded in the API product When it fails: 1. If no scope embedded in the access token matches with any scope configured in the Verify Access Token Policy If more than one scope is specified (as in the above example), then the policy will succeed if the access token includes any one of those scopes (like a logical 'OR' evaluation). In order to enforce an 'AND' type of operation where multiple scopes on a token are enforced, create multiple Veryify Access Token policies with a single distinct scope for each.