Client-Specific Customization

In OAuth Manager, you can configure settings for OAuth Clients and Client Keys through the Custom Field.  Expressed as a JSON message, this configuration is stored in the ${custom} variable. You can then use this variable for client specific configuration within policy.
otk41
In OAuth Manager, you can configure settings for OAuth Clients and Client Keys through the Custom Field.  Expressed as a JSON message, this configuration is stored in the ${custom} variable. You can then use this variable for client specific configuration within policy.
This page contains the following sections:
Set Parameter Values in the Custom Field for a Client (or Client Key)
To set parameter values in the Custom JSON Field for a client or client key:
  1. Open a browser and go to: https://<yourgatewayURL>:8443/
    instanceModifier
    /oauth/manager
  2. Provide a username and password. The type of access you are granted depends on your user role.
  3. Click
    Clients
    .
  4. Select a client and click
    Edit
    .
    The Edit page appears with a
    Custom Field
    that accepts JSON content.
  5. Provide JSON content that configures parameters for this client.
  6. Click
    Update Client
    .
Similarly, you can click
List Keys
for a client, then
Edit.
Provide custom JSON values for the client key and click
Save
.
For example:
listKeys.png
How the Custom Field Content is Stored
The custom field contents are stored in the ${custom} variable that has the following structure:
{"client_custom": ${client_custom}, "client_key_custom": ${client_key_custom}}
Add Custom Logic to Extend the #Policy
Refer to the examples for the nesting logic.
Tasks include:
  • Creating a custom_json Context variable to hold the JSON message content provided by the ${custom} variable.
  • Using an Evaluate JSON Path Expression assertion to extract the key/value pairs.
  • Adding a Compare Expression assertion to check if any custom values were set.
  • Overwriting the default setting for the client with the custom values.
Set Context Variable: custom_json
Add a Set Context Variable assertion called custom_json to hold the content of ${custom}. The ${custom} variable contains the JSON message parameter settings for the client and client key.
Use the following settings for the Set Context Variable assertion:
Variable Name
custom_json
Data Type
Message
Content-Type
application/json; charset=UTF-8
Expression
${custom}
Evaluate JSON Path Expression
Set up the Evaluate JSON Path Expression to capture the parameters.
Use the following settings for the Evaluate JSON Path Expression assertion:
Expression
–  Identify the parameters you want to extract. For example:  $..lifetimes.oauth2_access_token_lifetime_sec.
Source
– Click Other Message Variable and type custom_json.  This Identifies where to find the custom content.
Destination
– Create a new variable prefix to identify the result of the extraction. For example: at_lifeftime becomes at_lifetime.result and holds the custom access token lifetime value.
evalJSON.png
Add a Compare Expression Assertion
Add a Compare Expression assertion to check if any custom values are set.  The expression is specific to the parameters you are checking. For example:
Use the following settings to check to see if the "lifetimes" element exists in the JSON message:
Variable
custom_json
Data Type
Unknown/Other
If Multivalued
All values must pass
Add
Simple Comparison
Set up the Simple Comparison rule as:
(does)
contain
Right Expression
lifetimes
   (or whatever you're checking here for content).
Case Sensitive
– unclick
Overwrite the Default Setting of the Context Variable
Add a Set Context Variable assertion to overwrite the parameter with the result of the JSON extraction.The result of the JSON extraction is stored in a variable created with the assigned Variable Prefix in the following format:
variablePrefix
.result.
Hover your mouse over the
Evaluate JSON Path Expression
assertion to see what variables are automatically created.
In the following example, the Variable Prefix is added to the .found, .count, and .result, and results.
hoverEval.png
The Set Context Variable has the following properties:
Variable Name
– The Context Variable you are customizing for this client. For example: oauth2_access_token_lifetime_sec
Expression
– The variable where the extracted value from the JSON message is stored. For example: ${at_lifetime.result}
Client-Specific Customization Examples
The following examples show how client-specific customization can be implemented:
Customizing Token Lifetime for a Specific Client
The following policy example shows how custom settings for the access token lifetime and refresh token lifetime are set for a specific client. The configuration is performed in the
#OTK Token Lifetime Configuration
policy.
tokenLifetimeCustom.png
Customizing Token Behavior for a Specific Client Identified by Client Key
The following example shows how the
#OTK Storage Configuration policy
was extended to provide global defaults and custom token behavior for a specific client key.
The logic includes:
  • Global configuration by setting default values for the following Context Variables:
    max_oauth_token_count
    = 5
    max_oauth_token_behaviour
    = error
  • Specific configuration for clients/client keys that overrides the global configuration:
    For the Client Key, the following custom values are set:
    tokenCountCustom.png
  • Similarly, the following custom values are set for the client:
    {"max_token_count": 7, "max_token_behaviour": "cycle"}
  • This configuration is not applicable to
    CLIENT CREDENTIALS
    grant type.
The policy can be coded as follows:
policyCountCustom.png
Global Token Count
The global section sets the rule. It contains Context Variables that establish default values for all clients. There is no check required for the ${custom} variable.
The code determines the following global behavior:
  • With the
    max_oauth_token_count
    set to 5, all clients can access four additional instances of the same app without logging out of the first instance.
  • When a client attempts to log into more than five instances, the
    max_oauth_token_behaviour
    setting indicates that an error is returned.
Per-Client Token Count
The per-client section sets the exception to the rule. It contains logic that checks for any content within the ${custom} variable, extracts the values of parameters associated with the client and client key, then overrides the default global setting of these parameters for the specific client.
The code to set per-client behavior is as follows:
  • The custom_json Context Variable holds the ${custom} variable contents.
  • The JSON contents are extracted.
  • If the max_oauth_token_count is found in the JSON object, the Context Variable max_oauth_token_count is set to its associated value.
In this example, because the
Client Custom
and
Client Key Custom
fields are both set, the
Client Key Custom
takes precedence as it is the first assertion code block found to be true.