Contents

Popular

This policy is used to create a Token endpoint project to generate access tokens. The token endpoint API is used by the client to obtain an access token by presenting its authorization grant or refresh token along with valid credentials. In general, one instance of Token endpoint API project is sufficient for the entire API Management Product.

Configuration


Figure 1: OAuth Token End Policy Configuration attributes

The property that has to be configured to use the policy is described below.

PropertyDescription
Access Token Expiry TimeProvide required expiry time (select the unit of choice from the drop-down) to the generated access token.
Refresh Token Expiry TimeProvide required expiry time (select the unit of choice from the drop-down) to the generated refresh token.
Enable PKCEEnable this to gain additional security using the technique Proof Key for Code Exchange.
Attributes

Custom attributes to be added in access token or authorization code.

Icon

This will be embedded with the access token that can be extracted and checked during runtime.

Icon

When custom attributes are added to an authorization code, these will be inherited by the access token generated from that code.

Custom attribute will be displayed with access and refresh token in JSON format.

Usage based on Grant Types

Icon

This policy is used with every authorization grant except for the implicit grant type where an access token is issued directly.

The Request for OAuth Token End Point has to be constructed with the following parameters using POST:

Authorization Code

To configure OAuth authorization using the Authorization Code grant type, refer to Step 2 in the Using Authorization Code section.

If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token.

Resource Owner Password Credentials

To configure OAuth authorization using the Resource Owner Password Credentials grant type, refer to the Using Password section.

If the access token request is valid and authorized, the authorization server issues an access token.

Client Credentials

To configure OAuth authorization using the Client Credentials grant type, refer to the Using Client Credentials section.

Adaptavist ThemeBuilder EngineAtlassian Confluence