Security using Oauth token

Report Inappropriate Content · 08-28-2017 09:58 PM

Hi,I want to pass my oauth token in query parameter rather than passing it in header.How can i do the same???

davissean

You can move the Access Token using an Assign Message policy.

ssvaidyanathan

HI @Shivani Mishra - By default, VerifyAccessToken expects the access token to be sent in an Authorization header. You can change that default using <AccessToken> element.

For example request.queryparam.access_token indicates that the access token should be present as a query parameter.

<AccessToken>request.queryparam.access_token</AccessToken>

More info here

ssvaidyanathan

@Shivani Mishra - Did this work ? If not, let us know. If this resolved the issue, please accept the answer

Report Inappropriate Content

@Shivani Mishra,

Any specific reason for specifying access token as part of the query param. Authorization header is recommended practice from security perspective. Also, one has to remove query param from request before passing the request to backend system.

supriyokumar274

If i got the bearer token for any other app/client i can use that token to hit the api till its expiration , so in that case token is compromised right?

Report Inappropriate Content

Your token is your responsibility. If you find its mishandled, you can immediately invalidate that token.

If you want to avoid this scenario at all, then do use mtls which will ensure the correct sourse of request.

You also can do source validation using options like jwt