10.4.9 Configuring an OAuth Token Inject Policy

This policy allows Access Gateway to inject OAuth token into web applications’ header as an authorization bearer.

To create and configure an OAuth Token policy, perform the following steps:

  1. Click Policies > Policies.

  2. Select the policy container.

  3. Click New, specify a name for the policy. Select Access Gateway: Identity Injection from the list, then click OK.

  4. (Optional) Specify a description for the injection policy. This is useful if you plan to create multiple policies to be used by multiple resources.

  5. In the Actions section, click New > Inject OAuth Token.

    NOTE:The format of the token that gets injected depends on the OAUTH TOKENS IN BINARY FORMAT property. This property is set in the Identity Server global options.

    If this property is set to false or is not specified in the Identity Server global options, the format of the token will be JWT.

  6. You can select OAuth scope from the Available OAuth Scopes list. You can add multiple scopes using this option.The selected scopes get listed in the OAuth Scopes (Select from available OAuth Scopes list) field. If you want to manually add more scopes or edit existing scopes, you can use the OAuth Scopes (Select from available OAuth Scopes list) field.

    NOTE:The scopes are case-sensitive and have a character limit of 60. You can specify more than one scope separated by a comma.

  7. In the Renew Before the Token Expiry (minutes) field, specify a time for the token renewal.

    Examples:

    Let suppose Identity Server contract time out is set for 60 minutes. Now, if you specify the Renew Before the Token Expiry (minutes) as 30, then the token gets renewed 30 minutes (60-30 minutes) after the start of Identity Server session.

    Let suppose Identity Server contract time out is set for 60 minutes. Now, if you specify the Renew Before the Token Expiry (minutes) also as 60, then there will be a new token issued for each session.

    IMPORTANT:For efficient policy execution, it is not recommended to add multiple actions with Inject OAuth Token policy. However, if you still add another action, then the token renewal time will be considered based on the lowest time amongst all the actions.

    For example, if you set the Renew Before the Token Expiry (minutes) as 30 and add Inject Kerberos Ticket policy with Refresh Data Every as 10 minutes, then, the token will be renewed at 10 minutes, instead of 30.

  8. To save the policy, click OK twice, then click Apply Changes.