Layer7 API Management

  • Private Community
 View Only

 About setting disallowed method to query parameter of access token

MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Feb 20, 2023 12:03 AM

Hi Teams,

[Products] 
 CA API Gateway v10.0 CR02
 API Developer Portal v4.5.0.1


The user pointed out the following by external diagnosis and is considering improvement.

  • A request can be made by setting the access token issued by OTK as a query parameter
  • The access token should be set in the HEADER section, not recommended as a query parameter


The user thought that changing "Allow Authorization Header (boolean)" in OTK's Access Token Retrieval Properties from True to False would solve the problem.
So they executed, but the property was "Read Only".

[Question]

  • Is there a way to change the property?
  • Is there a method to disallow query parameter settings for access tokens?


Regards

Barry Stern's profile image
Broadcom Employee Barry Stern posted Feb 21, 2023 09:47 AM

Hello,

The determination to accept tokens as query parameter is determined  on the resource server in the "OTK Require OAuth 2.0 Token Properties" assertion in the API by setting the "Disallow retrieving access_token from query string"  property to True. 



In OTK 4.6 you can also enable FAPI baseline which disables globally the use of query parameter for AT but this will also enforces all of the FAPI baseline restrictions as well.

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/fapi-compliance.html