Few points to keep in mind while working with
OAuthV2 policy.
1. The XML elements in the
OAuthV2 policy take
references instead of
values.
In AssignMessage and other policies, variable references are specified using a Ref tag or Ref attribute.
<QueryParam name="local_grant_type" Ref="grant_type">password</QueryParam>
The content of the QueryParam tag above is a literal value password. Consider the following OAuthV2 policy
<GrantType>password</GrantType>
<SupportedGrantTypes>
<GrantType>password</GrantType>
</SupportedGrantTypes>
The outer GrantType tag content is a reference to a variable named password and not a literal value. The inner GrantType tag contains password as literal value. All the tags outside SupportedGrantTypes & Attributes tags assume their content as variable references.
This has been mentioned in the documentation too - however it's easy to miss because of the difference in behaviour with respect to other policies.
2. Password tag in
OAuthV2 policy is
<PassWord>variable_containing_password</PassWord> - note the capitalization of
W in password.
3. Value content inside
Attribute tag is either variable name or literal content.
- <Attribute>{phone}</Attribute>
- <Attribute>phone: {phone}</Attribute>
In the first case the value of the variable
phone is stored as the attribute of the access token. However, in the second case
no variable interpolation of the phone variable occurs. The attribute will have the literal value
phone:{phone} .JavaScript Policy is one of the options to build such a mixed content string.