Learn how to enable retrieval and revocation of OAuth 2.0 access tokens by end user ID, app ID, or both.
To learn how to make the API calls that perform these retrievals and revocations, see following Smart Docs:
- Revoke OAuth 2.0 Access Token by End User ID or App ID
- Get OAuth 2.0 Access Token by End User ID or App ID
To retrieve and revoke existing OAuth 2.0 access tokens by end user ID, an end user ID must be present in the existing access tokens. If you are not already capturing end user IDs in your access tokens, this document will tell you how to configure your OAuth 2.0 policies to do this. You will then be able to retrieve and revoke any newly generated OAuth 2.0 access tokens by end user ID.
This feature must be enabled for each org that you want to support this feature.
Contact Apigee Support to have them update your org.
Only your orgadmin and opsadmin roles should be given permissions to make these retrieve (
get) and revoke (
put) calls to the
oauth2 resource based on end user ID or app ID.
You can use the Get Permission for a Single Resource API call to see which roles have
put permissions for the
If you need to add or remove any permissions, contact Apigee Support to have them perform the updates.
In this task, copies of existing OAuth 2.0 access tokens in impacted orgs will be copied and stored in your Cassandra nodes. This procedure will be performed on the Cassandra nodes for each of your Apigee Edge pods. This will allow the retrieve and revoke API calls to run against all of your OAuth 2.0 access tokens, existing and newly generated.
This task is optional if you do not need to retrieve and revoke existing OAuth 2.0 access tokens by end user ID.
Contact Apigee Support to have them perform the migration.
In this task, the
keymanagement.properties files for your management server and message processor will be updated to include this property:
oauth_max_search_limit = 100.
100 is Apigee's recommended value, but can be set as you see fit.
Contact Apigee Support to have them make this addition.
Configure a GenerateAccessToken OAuth 2.0 policy to generate access tokens that include end user IDs
Perform this task to configure a GenerateAccessToken OAuth 2.0 policy to generate access tokens that include end user IDs. By including end user IDs in access tokens, you will then be able to perform retrievals and revokes by end user ID.
This task is optional if you do not need to retrieve and revoke OAuth 2.0 access tokens by end user ID.
To configure the policy to include an end user ID in an access token, you must tell the policy where to find the end user ID. To do this, add the AppEndUser element to the policy and set its value to a variable. See the example shown in bold below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-1"> <DisplayName>OAuth 2.0.0 1</DisplayName> <FaultRules/> <Properties/> <Attributes/> <ExternalAuthorization>false</ExternalAuthorization> <Operation>GenerateAccessToken</Operation> <SupportedGrantTypes> <GrantType>client_credentials</GrantType> </SupportedGrantTypes> <GenerateResponse enabled="true"/> <GrantType>request.queryparam.grant_type</GrantType> <AppEndUser>request.header.appuserID</AppEndUser> <Attributes> <Attribute name="water">sea</Attribute> <Attribute name="air">fresh</Attribute> </Attributes> <ExpiresIn>960000</ExpiresIn> <Tokens/> </OAuthV2>
Define a variable that will locate the app end user ID in the location defined by your implementation. For example:
- Use a form parameter variable: request.formparam.appuserID
- Use a flow variable providing the app end user ID
Help or comments?
- Something's not working: See Apigee Support.
- Something's wrong with the docs: Click Send Feedback in the lower right.
(Incorrect? Unclear? Broken link? Typo?)