Update AccessTokenPrefix Not Working

Not applicable

When I update the access token prefix from Bearer (Default) to BearerToken it still only validates requests with Bearer. I tested this Postman but I want it to be BearerToken since that is what Spring's OAuth2RestTemplate generates:

LoggingRequestInterceptor | REQUEST HEADERS : {Authorization=[BearerToken GWeOoUiHXWI8RONiFX335aN0IK5F].....


Here is the Policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <OAuthV2 async="false" continueOnError="false" enabled="true" name="verify-oauth-v2-access-token"> <DisplayName>Verify OAuth v2.0 Access Token</DisplayName> <Operation>VerifyAccessToken</Operation> <AccessTokenPrefix>BearerToken</AccessTokenPrefix> </OAuthV2>

Is this correct?

Is there a way to specify both Bearer and BearerToken?

0 3 306
3 REPLIES 3

Hello @Jeremy Deane

It appears that this is a bug. It should use the BearerToken prefix that you entered.

An alternative approach is to use a JavaScript callout to replace BearerToken with Bearer (code is below).

authHeader = context.getVariable('request.header.authorization');
authHeader = authHeader.replace('BearerToken', 'Bearer');
context.setVariable('request.header.authorization', authHeader);

This would also address your second question, allowing both Bearer and BearerToken in the Authorization header. This would make the replacement only if BearerToken is present, otherwise it would leave it as Bearer. Any other prefix, or a missing prefix would cause the verification to fail and a 401 should be returned to the client.

That worked perfectly. Thank you.

@swilliams is there any plans to fix the bug.