CentraSite 10.3 | CentraSite User’s Guide | Runtime Governance | Run-Time Policy Management | Built-In Run-Time Actions Reference (CentraSite Business UI) | Built-in Actions for Run-Time Policies (CentraSite Business UI) | Evaluate OAuth2 Token
 
Evaluate OAuth2 Token
If you have a native API that requires to authenticate a client to the Integration Server using the OAuth 2.0 credentials (access token), you can use the Evaluate OAuth2 Authentication action to extract the client's credentials from the HTTP request header, and verify the client's identity.
This action extracts the specified OAuth access token from an incoming request and locates the client defined by that access token. For example, when you have configured this action for an API, the PEP extracts the OAuth access token from the request’s HTTP header at run time and searches its list of consumers for the client that is defined by that access token.
Mediator evaluates the incoming request to identify and validate that the client's access token.
Mediator rejects requests that do not include the OAuth access token of an Integration Server user.
Mediator supports OAuth2.0 using the grant type Client Credentials.
If Mediator cannot identify the client, Mediator fails the request and generates a Policy Violation event.
Input Parameters
Identify User
(String). The list of consumers against which the OAuth token should be validated for identifying requests from a particular client.
Value
Description
Do Not Identify
Mediator forwards the request to the native API, without attempting to verify client's credentials in incoming request.
Global Consumers
(Default). Mediator tries to verify the client's OAuth access token against a list of all global consumers available in the Mediator.
Registered Consumers
Mediator tries to verify the client's OAuth access token against the list of consumer applications who are registered as consumers for the specified API.
Authenticate Access Token
(Boolean). (Optional). This option uses your resource server to verify clients. When Integration Server acts as a resource server, it receives requests from clients that include an access token. The resource server asks the authorization server to validate the access token and user. If the token is valid and the user has privileges to access the folders and services, the resource server executes the request.
For more information about using Integration Server to act as a resource server, see webMethods Integration Server Administrator’s Guide.
Value
Description
True
(Default). Mediator verifies the client's OAuth access token against the list of consumers available in the Integration Server on which Mediator is running.
False
Mediator does not verify the client's OAuth access token.
Important:
As a best practice, we recommend that if the parameter Identify User is set to either use Registered Consumers or Do Not Identify, then the parameter Authenticate Access Token should set to True.