Configuring the Internal Authorization Server
Pre-requisites:
You must have the API Gateway's manage security configurations functional privilege assigned to add an authorization server.
You have to configure API Gateway with the required information to act as an internal authorization server for OAuth or JWT depending on what authentication protocol you want to use to identify and authorize a client application. You can also define the required scopes that provide a way to limit the amount of access that is granted to an access token.
To configure an internal authorization server
1. Expand the menu options icon , in the title bar, and select Administration. 2. Select Security > OAuth/JWT/OpenID.
3. In the Internal Authorization servers section, click local.
This is the internal authorization server available that you can configure with required information to act as an internal authorization server for OAuth, JWT or OpenID authentication protocols.
4. The name field is pre-populated with the name of the internal authorization server, local, which is non-editable.
5. The description for the internal authorization server is pre-populated with the description available. You can modify the description as required.
6. Click JWT configuration to configure API Gateway as a JWT issuer.
Alternatively you can expand or collapse a section, using the down arrow (
) and the up arrow (
) and that appear next to the section name.
7. Provide the following information as required:
Field | Description |
Token issuer | Name of the JWT token issuer used by API Gateway. Note: The Token issuer value is case-sensitive. |
Algorithm | The cryptographic algorithm to sign JSON Web Tokens (JWTs). Supported values are: RS256, RS384, and RS512. |
Expiry duration | The duration (in minutes) for which the token is valid. For example, the value 60 denotes that the access token will expire in one hour from the time the token was generated. |
Audience | Optional. The intended recipient of the token. The application that receives the token must verify that the audience value is correct and reject any tokens intended for a different audience. |
Keystore alias | Alias of the keystore containing the private key that is used to sign JWTs. The Keystore alias field contains a list of the available keystore aliases in API Gateway. If there are no configured keystore aliases, this field displays the DEFAULT_IS_KEYSTORE. |
Key alias | Alias of the private key used to sign JWTs. The Key alias field contains a list of the available aliases in the selected keystore. If there are no configured keystores, this field is empty. |
8. Click OAuth configuration to configure API Gateway as an OAuth authorization server.
Alternatively you can expand or collapse a section, using the down arrow (
) and the up arrow (
) and that appear next to the section name.
9. Provide the following information as required:
Authorization code expiration interval. Specifies the time (in seconds) during which the authorization code issued by the authorization server is valid. Valid values are between 1 and 2147483647. The default value is 600.
Access token expiration interval. Specifies the time (in seconds) for which the access tokens issued by the authorization server are valid. The default value is 3600. Value of -1 specifies that the access token does not expire.
PKCE configuration. Select
Enforce PKCE check box to secure the get access token calls with PKCE mechanism.
10. Click OAuth tokens.
This lists the available OAuth tokens with the following details:
Client ID. Specifies the ID of the client application that requested the access token.
Owner ID. Specifies the ID of the owner who issues the access token.
Access token. Specifies the access token
Refresh token. You can use to generate a new access token if the existing access token is expired.
Remaining refresh limit. Displays the remaining attempts for refreshing the access token.
Action. Revokes the access tokens, which means those tokens cannot be used to invoke the protected resource.
Note:
By default, API Gateway lists only 5 records and provides pagination to explore more tokens. You can also use the search and filter options to find the OAuth tokens.
You can remove all the expired OAuth access tokens using the following API.
Method : GET
URL: hostname:port/invoke/pub.oauth/removeExpiredAccessTokens
Note:
You can schedule the cleanup of the expired OAuth access tokens as required.
11. Click OAuth scopes.
OAuth 2.0 scopes provide a way to limit the amount of access that is granted to an access token. For example, an access token issued to a client application may be granted READ and WRITE access to the protected resources, or just the READ access. You can implement your APIs to enforce any scope or a combination of scopes as required. So, if a client receives a token that has READ scope, and it tries to invoke an API endpoint that requires WRITE access, the invocation fails.
You can provide the meaning to the scope in OAuth/OpenID scopes management section.
12. Type the scope that is registered in the authorization server and click +Add.
You can include multiple scopes.
13. Click Update.
This updates the internal authorization server details with the required information and is listed in the table of Internal authorization server.