This policy injects the OAuth token into web applications’ header as an authorization bearer.
To create and configure an OAuth Token policy, perform the following steps:
Click Policies > Policies.
Select the policy container.
Click New, specify a name for the policy. Select Access Gateway: Identity Injection, and click OK.
(Optional) Specify a description for the injection policy. This is useful if you plan to create multiple policies to be used by multiple resources.
In the Actions section, click New > Inject OAuth Token.
NOTE:The format of the token that gets injected depends on the OAUTH TOKENS IN BINARY FORMAT property. This property is set in the Identity Server global options.
If this property is set to false or is not specified in the Identity Server global options, the format of the token is JWT.
In Resource Server for Token encryption, select a resource server.
The resource server’s keys are used to encrypt and validate the token at userinfo, tokeninfo, and introspection endpoints. If you do not select any resource server, the tokens are encrypted using the default resource server keys. If no resource server is marked as the default resource server, the tokens are encrypted using the Access Manager keys.
NOTE:This option is available from Access Manager 5.0 onwards. If you have upgraded to Access Manager 5.0 from a previous version and want to encrypt the tokens using the resource server’s keys, you must update the Access Gateway nodes.
Select OAuth scope from the Available OAuth Scopes list. You can add multiple scopes using this option. The selected scopes get listed in OAuth Scopes (Select from available OAuth Scopes list). To manually add or edit scopes, use OAuth Scopes (Select from available OAuth Scopes list).
NOTE:The scopes are case-sensitive and have a character limit of 60. You can specify more than one scope separated by a comma.
In Renew Before the Token Expiry (minutes), specify a time for the token renewal.
Examples:
Let us assume that the Identity Server contract time out is set for 60 minutes. Now, if you specify Renew Before the Token Expiry (minutes) as 30, then the token gets renewed 30 minutes (60-30 minutes) after the start of Identity Server session.
Let us assume that the Identity Server contract time out is set to 60 minutes. If you specify Renew Before the Token Expiry (minutes) also as 60, then there will be a new token issued for each session.
IMPORTANT:For efficient policy execution, it is not recommended to add multiple actions with the Inject OAuth Token policy. However, if you still add another action, the token renewal time is considered based on the lowest time amongst all the actions.
For example, if you set the Renew Before the Token Expiry (minutes) as 30 and add Inject Kerberos Ticket policy with Refresh Data Every as 10 minutes, then, the token will be renewed at 10 minutes, instead of 30.
Click OK > OK > Apply Changes.