Sideband access token validation
HTTP requests often include an access token with an Authorization
header using the bearer token scheme, as described by RFC 6750.
By default, if a Sideband API request contains an Authorization
header, the Sideband API processes the access token as follows:
-
An access token validator parses and validates the access token, and the Sideband API adds the access token parsed claims to the policy request’s
HttpRequest.AccessToken
field. -
If the access token has a subject, a token resource lookup method retrieves the subject’s attributes, and the Sideband API adds them to the policy request’s
TokenOwner
field.
In some cases, the parsing and validation performed by the access token validator might duplicate processing already performed by the API gateway itself. To eliminate redundant processing, you can configure a Sideband API endpoint to use an external API gateway access token validator, which is a unique access token validator that performs no parsing or validation of its own. The API gateway plugin might then pass the parsed access token claims directly to the Sideband API, which would ignore the Authorization
header and accept the parsed access token claims as-is.
Example
The following example shows how to configure an external API gateway access token validator with a token resource lookup method and assign it to an existing Sideband API endpoint:
dsconfig create-access-token-validator \ --validator-name "API Gateway Access Token Validator" \ --type external-api-gateway \ --set enabled:true \ --set evaluation-order-index:0 dsconfig create-token-resource-lookup-method \ --validator-name "API Gateway Access Token Validator" \ --method-name "Users by uid" \ --type scim \ --set scim-resource-type:Users \ --set 'match-filter:uid eq "%sub%"' \ --set evaluation-order-index:0 dsconfig set-sideband-api-endpoint-prop \ --endpoint-name "My API" \ --set "access-token-validator:API Gateway-Provided Access Token Validator"