Authentication URL
You can use an Authentication URL to specify a REST authentication service that manages user authentication, and optionally provide additional meta data to be embedded in the token.
This support can optionally enable any of the following:
- Provide the authenticated credential to API Connect. For example,
the user logs-in with user name: spoon, and password:
passw0rd. When the user is authenticated, the credential becomes
cn=spoon,o=eatery
. The credential is kept in the OAuth access_token to represent the user. - Provide metadata support. Allow extra metadata to be kept in the
access_token
. - Override the
scope
that the application receives after a successful OAuth protocol processing. By responding with a specific header, the Authentication URL endpoint can replace thescope
value that the application receives. For example, you can provide a specific resource owner an account number within thescope
header response for use in future processing steps.
When you call the Authentication URL, the API Connect gateway sends a GET request with HTTP headers and then processes any HTTP response from the URL. For authentication, a REST authentication service is expected at the Authentication URL.
The following response from the REST authentication service indicates that user authentication is
successful and that API Connect will
use
cn=spoon,o=eatery
as the user
identity.HTTP/1.1 200 OK
Server: example.org
API-Authenticated-Credential: cn=spoon,o=eatery
API Connect considers any non-200 HTTP response code a failed user authentication attempt.
When Authentication URL is invoked, two HTTP response headers are available that
include metadata in the access token or the response payload that contains the access token. For more information, see OAuth metadata URL and authentication URL. The two
metadata response headers are:
API-OAUTH-METADATA-FOR-ACCESSTOKEN
API-OAUTH-METADATA-FOR-PAYLOAD
From version 5.0.7.3 onward, when Authentication URL is invoked, an HTTP response
header is available to override the requested
scope
from the application. For more
information, see OAuth scope. The response
header is: x-selected-scope