Search Results

Configuring Endpoint Call Processing

To configure OIDC ID token authentication call processing for an endpoint:

In the Call Transformations page, specify the following information in these fields:

  1. Processing Adapter: com.mashery.proxy.customer.generic.oidc-token-connector
  2. Perform Pre-Processing: Enabled
  3. Data to make available for pre-processing (one per line)
Data Example Notes

userinfo_endpoint: {

regionCodeHeader: <Header parameter name that holds region code>

regionCodeValue: {"<region1 code>":"<user info endpoint URI for region1>",

"<region2 code>":"<user info endpoint URI for region2>",

"<region3 code>":"<user info endpoint URI for region3>"}

defaultURI: < default user info endpoint URI>

}

userinfo_endpoint: {

regionCodeHeader:HTTP-REQUEST-REGION-KEY

regionCodeValue: {"FR":"https://uki.acme-travel.com:9001/fr/userinfo",

"US":"https://uki.acme-travel.com:9001/en/userinfo",

"DE":"https://uki.acme-travel.com:9001/de/userinfo"}

defaultURI: https://uki.acme-travel.com/en/userinfo

}

Mandatory;

URI for user info endpoint can be picked conditionally based on metadata present in API header.

regionCodeHeader and regionCodeValue value are optional to set

defaultURI is required and must be present for user info

Notes:

If default URI parameter is not present or set, call is blocked with 401 -Unauthorized

regionCodeHeader and regionCodeValue should be configured together to achieve conditional picking of access user info endpoint.

inject_headers: {"<HEADER1_NAME>":"<JSONPathExpression>","<HEADER2_NAME>":"<JSONPathExpression>",..}

inject_headers:{

"<HEADER1_NAME>":"<JSONPathExpression>","<HEADER2_NAME>":"<JSONPathExpression>"

}, ...

}

For JSONPath:

inject_headers:{

"US": {

"X-User-Email": "$.uid",

"X-Unit-Id": "$.b2bUnitId",

"X-Account-Number": "$.erpAccountNumber"

},

"default": {

"X-User-Id": "$.email",

"X-Unit-Id": "$.b2bUnitId",

"X-Account-Number": "$.erpAccountNumber"

}

}

Optional; key:value pair

In case user info returns JSON response with additional detail after successful validation.

Injects headers only when configured value is found in JSON response using JSONPath Expression

Injected header value must support UTF-8 for internationalization and special characters like "name": "Claes Rosenlöf"

block_authorization_header:<true/false> block_authorization_header : false

Optional; boolean values - true or false. Default Value - true

Note:This setting is only applicable for access token which needs to get blocked or forwarded to the resource server.

error_metadata_location : <Error response meta data location> error_metadata_location : ResponseHeaders

Optional; String values. Identify the location of error response that needs to be returned to user client on error condition. Possible Values:

ResponsePayload

ResponseHeaders

error_header_name : <Response header name> error_header_name : WWW-Authenticate

Optional; String value

Response header that contains the error message.

error_payload_location:<JSONPath Expression> error_payload_location: $.errorMessage

Optional; String value

Contains JSONPath expression which is used to retrieve error information from OpenID error response payload. Value retrieved using JSONPath expression is set as http response body.

http_proxy_server : <string> http_proxy_server : squid.example.com

Optional; String values. Proxy Server to retrieve userinfo_endpoint.

Supports only one third party proxy server per endpoint.

http_proxy_port : <integer> http_proxy_port : 3128 Optional; Integer value. Proxy Server Port to retrieve userinfo_endpoint.

enable_error_set

:<true/false>

block_authorization_header : true

Optional; boolean values - true or false. Default Value - false

If enable_error_set is configured as "true", TIBCO Mashery responds with ERR_403_NOT_AUTHORIZED that is Gateway supported error message. In this case http response status code and status text for connector is overridden by error set defined for that endpoint in Mashery Control Center. In this case, message overriding is done only if error is thrown from Mashery Connector. In case error is thrown from third party OpenID IDP, then message overriding will not be performed.

If enable_error_set is configured with value other than "true", then there is no change in Mashery Connector existing functionality that responds with ERR_401_UNAUTHORIZED for backend server response code with 401 for unauthorized calls.

enable_error_set parameter value with "true" is case-insensitive.