Tuesday, March 25, 2014

OAuthV2 Policy Nuances

Few points to keep in mind while working with OAuthV2 policy.

1.  The XML elements in the OAuthV2 policy take references instead of values

In AssignMessage and other policies, variable references are specified using a Ref tag or Ref attribute.

 <QueryParam name="local_grant_type" Ref="grant_type">password</QueryParam>

The content of the QueryParam tag above is a literal value password. Consider the following OAuthV2 policy

 <GrantType>password</GrantType>
 <SupportedGrantTypes>
        <GrantType>password</GrantType>
  </SupportedGrantTypes>

The outer GrantType tag content is a reference to a variable named password and not a literal value. The inner GrantType tag contains password as literal value. All the tags outside SupportedGrantTypes & Attributes tags assume their content as variable references
This has been mentioned in the documentation too - however it's easy to miss because of the difference in behaviour with respect to other policies.


2. Password tag in OAuthV2 policy is <PassWord>variable_containing_password</PassWord> - note the capitalization of W in password.


3. Value content inside Attribute tag is either variable name or literal content.


  • <Attribute>{phone}</Attribute>  
  • <Attribute>phone: {phone}</Attribute>


In the first case the value of the variable phone is stored as the attribute of the access token. However, in the second case no variable interpolation of the phone variable occurs. The attribute will have the literal value phone:{phone} .JavaScript Policy is one of the options to build such a mixed content string.



No comments:

Post a Comment