https://github.com/gravitee-io/gravitee-resource-oauth2-provider-generic

Gravitee.io - API Management - Resource - OAuth2 Generic
https://github.com/gravitee-io/gravitee-resource-oauth2-provider-generic

product-apim security-scan

Last synced: 20 days ago
JSON representation

Gravitee.io - API Management - Resource - OAuth2 Generic

• Host: GitHub
• URL: https://github.com/gravitee-io/gravitee-resource-oauth2-provider-generic
• Owner: gravitee-io
• License: apache-2.0
• Created: 2016-06-07T07:11:40.000Z (almost 9 years ago)
• Default Branch: master
• Last Pushed: 2025-04-12T01:31:51.000Z (22 days ago)
• Last Synced: 2025-04-12T02:43:46.951Z (22 days ago)
• Topics: product-apim, security-scan
• Language: Java
• Homepage:
• Size: 173 KB
• Stars: 0
• Watchers: 27
• Forks: 4
• Open Issues: 0
• Metadata Files:
  • Readme: README.adoc
  • Changelog: CHANGELOG.md
  • Contributing: CONTRIBUTING.adoc
  • License: LICENSE.txt
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

        
= Generic OAuth2 Authorization Server Resource

ifdef::env-github[]

image:https://img.shields.io/static/v1?label=Available%20at&message=Gravitee.io&color=1EC9D2["Gravitee.io", link="https://download.gravitee.io/#graviteeio-apim/plugins/resources/gravitee-resource-oauth2-provider-generic/"]

image:https://img.shields.io/badge/License-Apache%202.0-blue.svg["License", link="https://github.com/gravitee-io/gravitee-resource-oauth2-provider-generic/blob/master/LICENSE.txt"]

image:https://img.shields.io/badge/semantic--release-conventional%20commits-e10079?logo=semantic-release["Releases", link="https://github.com/gravitee-io/gravitee-resource-oauth2-provider-generic/releases"]

image:https://circleci.com/gh/gravitee-io/gravitee-resource-oauth2-provider-generic.svg?style=svg["CircleCI", link="https://circleci.com/gh/gravitee-io/gravitee-resource-oauth2-provider-generic"]

image:https://f.hubspotusercontent40.net/hubfs/7600448/gravitee-github-button.jpg["Join the community forum", link="https://community.gravitee.io?utm_source=readme", height=20]

endif::[]

== Description

Generic OAuth2 Authorization Server resource is defined to introspect an access_token generated by a generic OAuth2

authorization server.

This resource should be able to handle common authorization server from the market by providing a complete

configuration about the way to apply token introspection.

== Compatibility with APIM

|===

|Plugin version | APIM version

|4.0 and upper                  | 4.6.x to latest

|3.0 and upper                  | 4.4.x to 4.5.x

|2.0 and upper                  | 3.18.x to 4.3.x

|1.16.x and upper               | 3.10.x to 3.17.x

|Up to 1.15.x                   | Up to 3.9.x

|===

== Configuration

You can configure the resource with the following options :

|===

|Property |Required |Description |Type |Default | Support EL | Support Secret

.^|introspectionEndpoint

^.^|X

|The URL which is used by the resource to introspect an incoming access token.

^.^|string

^.^|-

^.^|X

^.^|-

.^|useSystemProxy

^.^|X

|TUse system proxy.

^.^|boolean

^.^|false

^.^|-

^.^|-

.^|introspectionEndpointMethod

^.^|X

|HTTP method used to introspect the access token.

^.^|HTTP Method

^.^|GET

^.^|-

^.^|-

.^|clientId

^.^|X

|The client identifier.

^.^|string

^.^|-

^.^|X

^.^|X

.^|clientSecret

^.^|X

|The client secret.

^.^|string

^.^|-

^.^|X

^.^|X

.^|useClientAuthorizationHeader

^.^|-

|To prevent token scanning attacks, the endpoint MUST also require some form of authorization to access this endpoint. In this case we are using an HTTP header for client authentication.

^.^|boolean

^.^|true

^.^|-

^.^|-

.^|clientAuthorizationHeaderName

^.^|-

|Authorization header.

^.^|string

^.^|Authorization

^.^|X

^.^|-

.^|clientAuthorizationHeaderScheme

^.^|-

|Authorization scheme.

^.^|string

^.^|Basic

^.^|X

^.^|-

.^|tokenIsSuppliedByQueryParam

^.^|-

|Access token is passed to the introspection endpoint using a query parameter.

^.^|boolean

^.^|true

^.^|-

^.^|-

.^|tokenQueryParamName

^.^|-

|Query parameter used to supply access token.

^.^|string

^.^|token

^.^|-

^.^|-

.^|tokenIsSuppliedByHttpHeader

^.^|-

|Access token is passed to the introspection endpoint using an HTTP header.

^.^|boolean

^.^|false

^.^|-

^.^|-

.^|tokenHeaderName

^.^|-

|HTTP header used to supply access token.

^.^|string

^.^|-

^.^|X

^.^|-

|===

[source, json]

.Configuration example

----

{

    "configuration": {

        "introspectionEndpoint": "https://my_authorization_server/oauth/check_token",

        "introspectionEndpointMethod": "POST",

        "clientAuthorizationHeaderName": "Authorization",

        "clientAuthorizationHeaderScheme": "Basic",

        "clientId": "my-client",

        "clientSecret": "f2ddb55e-30b5-4a45-9db5-5e30b52a4574",

        "tokenIsSuppliedByHttpHeader": false,

        "tokenIsSuppliedByQueryParam": true,

        "tokenQueryParamName": "token",

        "useClientAuthorizationHeader": true

    }

}

----

[source, json]

.Extract with a secret and EL

----

{

  "configuration": {

        "introspectionEndpoint": "https://{#dictionary['oauth']['host']/oauth/check_token",

        "clientId": "my-client",

        "clientSecret": "f2ddb55e-30b5-4a45-9db5-5e30b52a4574"

  }

}

----