Hashing OAuth tokens

Not applicable

Hi, We are on OPDK version 4.15.07.08. We have been using the third party oauth system tokens (tokens are being generated in our in-house Authentication system)for a while,we register the tokens generated in our in-house system in apigee against a client id, so on subsequent resource requests being made the token can be used as client id identifiable information in apigee. We wanted to know if

1. Apigee registers and stores this token in plain text. If yes, how can we confirm that

2. If token is registered in plain text , then can we use the steps mentioned in https://docs.apigee.com/api-platform/security/oauth/hashing-tokens to ensure that tokens are automatically hashed before they are stored

3. Is the above link applicable to our current OPDK (4.15.07.08).

4. Can we revert back this change if needed

5. What other property values need to be explicitly set, is it safe to say that unless explicitly specified in the curl call none of the existing properties are automatically over-ridden.

6. What does the following feature in the curl call indicate "features.isOAuthTokenFallbackHashingEnabled", what should it be set to in our scenario

7. Once the hash value is stored in apigee, will apigee automatically convert, compare and validate the plain text bearer token being sent by consumer.

8. Does apigee automatically delete revoked and expired tokens.

9. How do we convert existing tokens to hashed tokens and vice-versa

Thanks,

Vednath

0 1 335
1 REPLY 1

Hi Vednath,

This is a pretty involved question.

I suggest that you engage an Apigee consultant to go through this with you.