Layer7 API Management

 View Only
  • 1.  OTK/OAuth- Retrieve session data based on access token

    Posted Jun 08, 2017 07:23 PM

    OTK Tool Kit 3.5



    1. In the authorize policy, SessionData (SessionDataJWT) is created and stored in OTK Session.

    2. Is there a way to retrieve the above SessionData using access token as the cache key parameter ? 


    What we are trying to do is the below.


    Step 1 : App A calls OAuth - Authorization - Implemented a custom authorization policy which does the authorization and sets the grant type as Grant and then calls Consent policy. App A passes client id.


    Step 2: The consent policy (default OTK policy) will redirect the page to App B (based on redirect uri)


    Step 3: Now App B calls token policy by passing the code , client id and client secret. (App A is the master application and so knows the client id of App B when it initiates the authorization on step 1 above)


    Step 4: App B gets the access token on step 3. In the next call, we want to take the access token from App B and return few parameters from SessionData created in step1 above. Could anyone please let me know on the correct cacheKey to be used to retrieve it ? The custom authorization policy has the same logic as the default authorize policy and then issues a grant on top of it. When creating the session store, cache key used is SessionID. But we don't have hold of sessionId on step4 and so want to retrieve the session based on access token.


    Appreciate your help !

  • 2.  Re: OTK/OAuth- Retrieve session data based on access token
    Best Answer

    Posted Aug 15, 2017 11:50 AM


    In the endpoint /authorize/consent OTK issues credentials based on the response type. Wherever a response type gets handled there is an assertion called "OTK Session Tracking". The sessionData object can be added to the default JSON message that is used as input. Once the access_token gets used the assertion "OTK Require OAuth 2.0 Token" exposes a variable called "session.custom". That variable will contain the sessionData object. If that assertion is not being used "OTK Token GET" can be used alternatively only that this assertion will respond with an XML structure.

    Please let me know if that is good enough, otherwise do not hesitate to come back with follow up questions.

    Thanks, Sascha

  • 3.  Re: OTK/OAuth- Retrieve session data based on access token

    Posted Aug 15, 2017 02:23 PM

    Hi Sascha,


    Thank you for the reply. I've followed the below approach and it seems to be working fine.


    1.When App B client id is registered, client key custom is set with a json element.

    2. In the custom authorization policy (invoked by App A), when the session data is constructed, the client key custom    json element is replaced with the custom data (any json data that's desired to pass to App B)

    3. When client B authorizes by passing the token, the client key custom from session in step 2 is returned. It has the json data passed by app A.


    I think basically the client custom key is retrieved based on what you've mentioned above and so it works.


    Thanks, Koushik