Can some explain the behavior of OTK Require OAuth2.0 Token?
Below is my understanding.
- When we see any OTK assertions in Policy Manager it means OTK is installed and configured. (Assumption)
- Configuration includes connectivity from Gateway to OAuth2.0 server (Assumption).
- To authorize the API consumer against OAuth2.0, we need to insert 'OTK Require OAuth2.0 Token' assertion.
- This assertion retrieves AccessToken from header and communicated with OAuth server to get below parameters related to the consumer:
access_token, content-type, error.code, error.msg, session.client_id, session.expires_at, session.scope,
(AccessToken should have been created from the OAuth API which takes ClientId and SecretKey and Input - Assumption)
- Successful execution of assertion indicated success in OAuth2.0 authentication.
- On success of 'OTK Require OAuth2.0 Token' policy can proceed to execute further assertions.
Can someone validate and correct me if my assumptions and understandings is wrong.