Field | Description | |
Local introspection. Provide the following information to validate the tokens locally. | ||
Issuer | Name of the token issuer. | |
JWKS URI | Specifies JSON Web Key Signature endpoint to retrieve the corresponding public certificates for performing local introspection. API Gateway's cache has a key as kid claim and its value is the certificate corresponding to the kid claim. The cache is populated on every restart of API Gateway by invoking the JWKS URI. In the runtime, while validating the token using the local introspection, the kid value from the incoming JWT is fetched and the corresponding certificate is retrieved from the cache and the signature validation happens. | |
Truststore alias | Specify the alias of the truststore on API Gateway that holds the Certificate Authority (CA) certificate of third-party authorization server. This is required if the JWKS URI is not available for the authorization server and you want to configure this certificate directly. | |
Certificate alias | Alias of the certificate used to validate the token. The Certificate alias field contains a list of the available aliases in the selected truststore. If there are no configured truststores, this field is empty. | |
Remote introspection. Provide the following information to validate the tokens remotely if local introspection cannot be done. | ||
Introspection endpoint | URL of the token introspection endpoint of a third-party OAuth 2.0 authorization server. API Gateway uses the introspection endpoint to check that access tokens used in client requests are currently active and are valid to invoke the protected resources. | |
Gateway user | The name of the Gateway user that API Gateway uses to invoke the token introspection endpoint. | |
Client ID | ID of the introspection client on the authorization server that API Gateway uses to introspect the access tokens. | |
Client secret | Password of the introspection client that API Gateway uses to introspect the access tokens. |
Field | Description | |
Enabled | Specifies whether dynamic client registration is enabled. Click the toggle button to change the state to to enable dynamic client registration. By default this option is disabled. | |
Provider name | Select the name of the third-party provider. | |
Client registration URL | Specifies the corresponding REST endpoint URLs for the client configuration of REST APIs. | |
Authentication type | Specifies the type of authentication scheme that API Gateway would use to communicate with the external authorization server for client management. Select one of the following authentication type: Basic. Specifies the username and password information that would be passed in the authorization header of HTTP request for client authentication. Username. The username to access the protected resources of REST APIs. Password. A valid password associated with the username. Token. Specifies the token information that would be added as a bearer token in the HTTP request for client authentication. Token type. The type of token that would be contained in the HTTP request. Token. The token that would be contained in the HTTP requests. Refresh token. Specifies the refresh token information that would be added as a bearer token in the HTTP request for client authentication. Refresh token. The refresh token that you would get from the external authorization server for the registered client ID and client secret. Client ID. The client ID that you want to specify from the external authorization server. Client secret. A valid client secret associated with the client ID. Client credentials. Specifies the client information for which the application is created in the external authorization server. Scope. The scope of the client application that you want to specify from the external authorization server. Client ID. The client ID that you want to specify from the external authorization server. Client secret. A valid client secret associated with the client ID. None . Specifies that you could create the client dynamically in the external authorization server without using any type of authorization. | |
Supported grant types | Specifies the list of grant types that are supported by API Gateway. Basically, grant types are the ways to get an access token from the external authorization server. Provide the grant type, in the Supported grant types field and click +Add. You can add more than one grant by clicking +Add. |
Field | Description | |
Keystore alias | Alias of the keystore containing the private key that is used for a secured communication between API Gateway and the authorization server. You can view all the keystore aliases available in API Gateway. If there are no configured keystore aliases, the list box contains only the default keystore, DEFAULT_IS_KEYSTORE. | |
Key alias | Alias for the private key to use to validate the HTTP requests from the client. You can view all the aliases available in the selected keystore. If there are no configured keystores, this list box is empty. | |
Truststore alias | Alias of the truststore on API Gateway that holds the Certificate Authority (CA) certificate of third-party authorization server. Note: You need to select a truststore alias only when all of the following are true: The client account on the third-party authorization server is configured to use mutual (two-way) SSL, and The authorization server’s Certificate Authority certificate is not in the set of well-known authorities trusted by the JVM in which API Gateway runs. |
Field | Description | |
Access token URL | The endpoint URL on the authorization server through which the client application exchanges the authorization code, client ID, and client secret, for an access token. | |
Authorize URL | The endpoint URL on the authorization server through which the end user authenticates and grants authorization to the client application. | |
Refresh token URL | The endpoint URL on the authorization server through which the client application refreshes an expired access token. |