Skip to content

Validating Request Authentication Tokens

When leveraging OAuth 2.0 for authentication, the API Firewall can be set up to validate access tokens before directing requests to your application server. The Firewall expects the access token in the Authorization: Bearer request header.

API Firewall considers the token to be valid if the scopes defined in the specification and in the token meta information are the same. If the value of APIFW_REQUEST_VALIDATION is BLOCK, API Firewall blocks requests with invalid tokens. In the LOG_ONLY mode, requests with invalid tokens are only logged.

Feature availability

This feature is available only when running API Firewall for REST API request filtering.

To configure the OAuth 2.0 token validation flow, use the following environment variables:

Environment variable Description
APIFW_SERVER_OAUTH_VALIDATION_TYPE The type of authentication token validation:
  • JWT if using JWT for request authentication. Perform further configuration via the APIFW_SERVER_OAUTH_JWT_* variables.
  • INTROSPECTION if using other token types that can be validated by the particular token introspection service. Perform further configuration via the APIFW_SERVER_OAUTH_INTROSPECTION_* variables.
APIFW_SERVER_OAUTH_JWT_SIGNATURE_ALGORITHM The algorithm being used to sign JWTs: RS256, RS384, RS512, HS256, HS384 or HS512.

JWTs signed using the ECDSA algorithm cannot be validated by API Firewall.
APIFW_SERVER_OAUTH_JWT_PUB_CERT_FILE If JWTs are signed using the RS256, RS384 or RS512 algorithm, the path to the file with the RSA public key (*.pem). This file must be mounted to the API Firewall Docker container.
APIFW_SERVER_OAUTH_JWT_SECRET_KEY If JWTs are signed using the HS256, HS384 or HS512 algorithm, the secret key value being used to sign JWTs.
APIFW_SERVER_OAUTH_INTROSPECTION_ENDPOINT Token introspection endpoint. Endpoint examples:
  • if using Google OAuth
  • for Gluu OAuth 2.0 tokens
APIFW_SERVER_OAUTH_INTROSPECTION_ENDPOINT_METHOD The method of the requests to the token introspection endpoint. Can be GET or POST.

The default value is GET.
APIFW_SERVER_OAUTH_INTROSPECTION_TOKEN_PARAM_NAME The name of the parameter with the token value in the requests to the introspection endpoint. Depending on the APIFW_SERVER_OAUTH_INTROSPECTION_ENDPOINT_METHOD value, API Firewall automatically considers the parameter to be either the query or body parameter.
APIFW_SERVER_OAUTH_INTROSPECTION_CLIENT_AUTH_BEARER_TOKEN The Bearer token value to authenticate the requests to the introspection endpoint.
APIFW_SERVER_OAUTH_INTROSPECTION_CONTENT_TYPE The value of the Content-Type header indicating the media type of the token introspection service. The default value is application/octet-stream.
APIFW_SERVER_OAUTH_INTROSPECTION_REFRESH_INTERVAL Time-to-live of cached token metadata. API Firewall caches token metadata and if getting requests with the same tokens, gets its metadata from the cache.

The interval can be set in hours (h), minutes (m), seconds (s) or in the combined format (e.g. 1h10m50s).

The default value is 10m (10 minutes).