To authenticate to The Server's HTTP services, clients use OAuth 2 bearer token authentication to present an access token in the HTTP Authorization request header.

To process the incoming access tokens, The Server uses access token validators, which determine whether to accept an access token and translate it into a set of properties, called claims, which The Server's HTTP services use to make access control decisions.

Most access tokens identify a user as its subject using the sub claim. Access token validators can retrieve the token subject's attributes from the directory using an identity mapper, which correlates the access token subject to an LDAP entry.

Access token validators are used by the following services:

  • Directory REST API
  • SCIM 2
  • Delegated Admin
  • Consent API

You can configure The Server to accept access tokens provided by LDAP clients using the OAUTHBEARER Simple Authentication and Security Layer (SASL) authentication method.