Send Docs Feedback

Note: Most user interface tasks can be performed in Edge Classic or the New Edge experience. For an overview, getting started topics, and release notes specific to the New Edge experience, see the docs.

Set OAuth V2 Info policy

What

Lets you add or update custom attributes associated with an access token. Custom attributes might include things like department name, a customer ID, or a session identifier. See also Customizing tokens and auth codes.

You can only add or modify custom attributes. You cannot use this policy to change fields like scope, status, expires_in, developer_email, client_id, org_name, or refresh_count. If an attribute already exists, this policy updates it. If it does not exist, the policy adds it. The access token referenced must be valid and in an approved state.

 

Where

This policy can be attached in the following locations. See the Samples for specific attachment guidance in different situations.

ProxyEndpoint TargetEndpoint
    PreFlow Flow PostFlow PreFlow Flow PostFlow    
Request    
    レスポンス
    PostFlow Flow PreFlow PostFlow Flow PreFlow    

Samples

Below is an example policy used to update an OAuth 2.0 access token. The example below locates the access token on the request message by looking for a query parameter called access_token. When an access token is presented by a client app, the policy below will locate the access token in the query parameter. It will then update the access token's profile. It adds a custom property called department.id to the profile. 

<SetOAuthV2Info name="SetOAuthV2Info"> 
  <AccessToken ref="request.queryparam.access_token"></AccessToken>
  <Attributes>
    <Attribute name="department.id" ref="request.queryparam.department_id"></Attribute>
  </Attributes>
</SetOAuthV2Info>

If an attribute already exists in the access token profile, then it will be updated with the new value in the policy. If an attribute does not exist, then the attribute will be added to the access token's profile.


Element Reference

The element reference describes the elements and attributes of the SetOAuthV2 policy.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SetOAuthV2Info async="false" continueOnError="false" enabled="true" name="SetOAuthV2Info-1">    
    <DisplayName>Set OAuth v2.0 Info 1</DisplayName>
    <AccessToken ref={some-variable}></AccessToken>
    <Attributes/>
</SetOAuthV2Info>
</xml>

<SetOAuthV2Info> attributes

<SetOAuthV2Info async="false" continueOnError="false" enabled="true" name="Set-OAuth-v20-Info-1">

The following attributes are common to all policy parent elements.

Attribute 説明 デフォルト Presence
name

The internal name of the policy. Characters you can use in the name are restricted to: A-Z0-9._\-$ %. However, the Edge management UI enforces additional restrictions, such as automatically removing characters that are not alphanumeric.

Optionally, use the <DisplayName> element to label the policy in the management UI proxy editor with a different, natural-language name.

該当なし Required
continueOnError

Set to false to return an error when a policy fails. This is expected behavior for most policies.

Set to true to have flow execution continue even after a policy fails.

false Optional
enabled

Set to true to enforce the policy.

Set to false to "turn off" the policy. The policy will not be enforced even if it remains attached to a flow.

true Optional
async

This attribute is deprecated.

false Deprecated

<DisplayName> element

Use in addition to the name attribute to label the policy in the management UI proxy editor with a different, natural-language name.

<DisplayName>Policy Display Name</DisplayName>
Default:

該当なし

If you omit this element, the value of the policy's name attribute is used.

Presence: Optional
Type: 文字列

 

<AccessToken> element

Identifies the variable where the access token is located. For example, if the access token is attached to request message as a query parameter, specify request.queryparam.access_token. You can use any valid variable that references the token. Or, could pass in the literal token string (rare case).

 <AccessToken ref="request.queryparam.access_token"></AccessToken>
Default: 該当なし
Presence: Required
Type: 文字列

属性

Attribute 説明 デフォルト Presence
ref

An access token variable. Typically, retrieved from a flow variable.

該当なし Optional

<Attributes> element

A set of attributes in the access token profile that will be modified or augmented.

Default: 該当なし
Presence: Required
Type: 該当なし

<Attributes>/<Attribute> element

An individual attribute to update.

The name attribute identifies the custom property of the access token profile to be updated. This example shows how to use a referenced variable value and a static value. 

  <Attributes>
    <Attribute name="department.id" ref="request.queryparam.department_id"></Attribute>
    <Attribute name="foo">bar</Attribute>
  </Attributes>
Default: 該当なし
Presence: Optional
Type: 該当なし

属性

Attribute 説明 デフォルト Presence
name The name of the profile attribute to add or change. 該当なし  
ref

The value to assign to the profile attribute.

該当なし Optional

 

Flow variables

On success, the following flow variables will be set:

  • oauthv2accesstoken.{policyName}.access_token
  • oauthv2accesstoken.{policyName}.client_id
  • oauthv2accesstoken.{policyName}.refresh_count
  • oauthv2accesstoken.{policyName}.organization_name
  • oauthv2accesstoken.{policyName}.expires_in
  • oauthv2accesstoken.{policyName}.refresh_token_expires_in
  • oauthv2accesstoken.{policyName}.issued_at
  • oauthv2accesstoken.{policyName}.status
  • oauthv2accesstoken.{policyName}.api_product_list
  • oauthv2accesstoken.{policyName}.token_type
  • oauthv2accesstoken.{policyName}.{custom_attribute_name}

スキーマ

Each policy type is defined by an XML schema (.xsd). For reference, policy schemas are available on GitHub.

Error reference

This section describes the error messages and flow variables that are set when this policy triggers an error. This information is important to know if you are developing fault rules for a proxy. To learn more, see What you need to know about policy errors and Handling faults.

Error code prefix

steps.oauth.v2 (What's this?)

Runtime errors

These errors can occur when the policy executes. The error names shown below are the strings that are assigned to the fault.name variable when an error occurs. See the Fault variables section below for more details.

Error name HTTP status Cause
invalid_access_token 500 The access token sent to the policy is invalid.
expired_access_token 500 The access token sent to the policy is expired.

Deployment errors

Refer to the message reported in the UI for information about deployment errors.

Fault variables

These variables are set when this policy triggers an error at runtime.

You an use these variables to create Fault Rule conditions. For more information, see What you need to know about policy errors.

Variables set (Learn more) Where
[prefix].[policy_name].failed The [prefix] is oauthV2.
The [policy_name] is the name of the policy that threw the error.
oauthV2.SetTokenInfo.failed = true
[prefix].[policy_name].fault.name The [prefix] is oauthV2.
The [policy_name] is the name of the policy that threw the error.

oauthV2.SetTokenInfo.fault.name = invalid_access_token

[prefix].[policy_name].fault.cause The [prefix] is oauthV2.
The [policy_name] is the name of the policy that threw the error.
oauthV2.SetTokenInfo.cause = Invalid Access Token
fault.name = [error_name] [error_name] is the specific error name to check for as listed in the table above. fault.name = "invalid_access_token"

Example error response

{
  "fault": {
    "faultstring": "Invalid Access Token",
    "detail": {
      "errorcode": "keymanagement.service.invalid_access_token"
    }
  }
}

Example fault rule

<FaultRule name=SetOAuthV2Info Faults">
    <Step>
        <Name>AM-InvalidTokenResponse</Name>
        <Condition>(fault.name = "invalid_access_token")</Condition>
    </Step>
    <Condition>(oauthV2.failed = true) </Condition>
</FaultRule>

関連トピック

Help or comments?