Auth Token With Custom Value

maulikhdave
Participant II

Hello All,

I want to create Auth token with my product key.

so when i create Auth Token it contains product key.

so when Next Time Consumer Request Edge with

that Auth Token it contains some additional information Like Product Key and some of the Attribute which we generated at the time of creating Auth token.

i don't want to share my product key to anyone before it valid user so I want to share my product ket with auth token.

please let me know

0 1 157
1 REPLY 1

You mentioned validating the user. Based on that I'm inferring that you're using a password grant, or an authorization code grant. Using the <Attributes> element in the policy configuration,j You can attach "attributes" to the token at the time of generation. And you have the option of configuring these attributes to be shown to the client app, or hidden from the client app. For example, the following attaches two attributes, one of which is shown to the client app (display=true) and one of which is not (display=false)

  <Attributes>
    <Attribute name='authenticated_user'
               ref='userauth.user.email'
               display='true'>UNDEFINED</Attribute>
    <Attribute name='private_attribute'
               ref='something_private'
               display='false'>none</Attribute>
  </Attributes>

The full OAuthV2 policy to generate a token with Password grant looks like this:

<OAuthV2 name='OAuthV2-GenerateAccessToken-PG'>
  <Operation>GenerateAccessToken</Operation>
  <!-- 1800000 = 30 minutes -->
  <ExpiresIn ref='flow.variable'>1800000</ExpiresIn> 

  <!-- 28800000 = 8 hours -->
  <RefreshTokenExpiresIn>28800000</RefreshTokenExpiresIn>

  <SupportedGrantTypes>
    <!--
        for a password grant type, the client_id and client_secret must be
        passed in , in the Basic Auth header, as per the
        specification.
    -->
    <GrantType>password</GrantType>
  </SupportedGrantTypes>


  <!-- variable that specifies the requested grant type -->
  <GrantType>request.formparam.grant_type</GrantType>

  <!--
      Optional: these attributes get associated to the token.
      They will be available to the API proxy whenever the token is
      subsequently validated.
  -->
  <Attributes>
    <Attribute name='authenticated_user'
               ref='userauth.user.email'
               display='true'>UNDEFINED</Attribute>
    <Attribute name='grant_type'
               ref='request.formparam.grant_type'
               display='true'>UNDEFINED</Attribute>
    <Attribute name='private_attribute'
               ref='something_private'
               display='false'>none</Attribute>
  </Attributes>

  <GenerateResponse enabled='true'/>
  <!--

      If you include GenerateResponse and have enabled='true', then
      the response is sent directly to the caller. The payload looks like
      this:
      {
        "issued_at": "1420262924658",
        "authenticated_user": "Xiao",
        "refresh_token_issued_at": "1420262924658",
        "status": "approved",
        "refresh_token_status": "approved",
        "expires_in": "1799",
        "developer.email": "tesla@weathersample.com",
        "organization_id": "0",
        "token_type": "BearerToken",
        "refresh_token": "fYACGW7OCPtCNDEnRSnqFlEgogboFPMm",
        "client_id": "5jUAdGv9pBouF0wOH5keAVI35GBtx3dT",
        "access_token": "2l4IQtZXbn5WBJdL6EF7uenOWRsi",
        "refresh_token_expires_in": "288000",
        "refresh_count": "0"
      }

      If you omit GenerateResponse or have enabled='false', then
      these flow variables are set on success:

      oauthv2accesstoken.OAuthV2-GenerateAccessToken-PG.access_token
      oauthv2accesstoken.OAuthV2-GenerateAccessToken-PG.token_type
      oauthv2accesstoken.OAuthV2-GenerateAccessToken-PG.expires_in
      oauthv2accesstoken.OAuthV2-GenerateAccessToken-PG.refresh_token
      oauthv2accesstoken.OAuthV2-GenerateAccessToken-PG.refresh_token_expires_in
      oauthv2accesstoken.OAuthV2-GenerateAccessToken-PG.refresh_token_issued_at
      oauthv2accesstoken.OAuthV2-GenerateAccessToken-PG.refresh_token_status
  -->

</OAuthV2>

That policy will generate a token with stored attributes. At the time your API Proxy verifies such a token, the OAuthV2/VerifyAccessToken policy will implicitly load into context variables the values of these attributes.

If you employ different grant type, like authorization_code, it works the same way. Also you can attach attributes to the CODE, at the time you use OAuthV2/GenerateAuthorizationCode, and those attributes will automatically propagate to the token that you generate, during code/token exchange.

The idea of attaching custom attributes to a token s documented here.