You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: pages/home/auth-providers/oauth2.mdx
+11-10Lines changed: 11 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -190,7 +190,7 @@ token_request:
190
190
```
191
191
192
192
- `response_content_type` _(optional, default `application/json`)_: The expected content type of the response. Supported values are `application/json` and `application/x-www-form-urlencoded`.
193
-
- `response_map` _(optional)_: A map of keys and values to extract from the response. Supports simple JSONPath expressions. Only applicable if `response_content_type` is `application/json`. See the [JSONPath reference](#jsonpath-expressions-in-response_map) for details on extracting values using JSONPath.
193
+
- `response_map` _(optional)_: A map of keys and values to extract from the response. Supported keys are `access_token`, `expires_in`, `refresh_token`, `scope`, and `token_type`. Supports simple JSONPath expressions. Only applicable if `response_content_type` is `application/json`. See the [JSONPath reference](#jsonpath-expressions-in-response_map) for details on extracting values using JSONPath.
194
194
195
195
#### `refresh_request`
196
196
@@ -218,7 +218,7 @@ refresh_request:
218
218
```
219
219
220
220
- `response_content_type` _(optional, default `application/json`)_: The expected content type of the response. Supported values are `application/json` and `application/x-www-form-urlencoded`.
221
-
- `response_map` _(optional)_: A map of keys and values to extract from the response. Supports simple JSONPath expressions. Only applicable if `response_content_type` is `application/json`. See the [JSONPath reference](#jsonpath-expressions-in-response_map) for details on extracting values using JSONPath.
221
+
- `response_map` _(optional)_: A map of keys and values to extract from the response. Supported keys are `access_token`, `expires_in`, `refresh_token`, `scope`, and `token_type`. Supports simple JSONPath expressions. Only applicable if `response_content_type` is `application/json`. See the [JSONPath reference](#jsonpath-expressions-in-response_map) for details on extracting values using JSONPath.
222
222
223
223
#### `user_info_request`
224
224
@@ -227,6 +227,7 @@ Some OAuth 2.0 APIs provide a user info endpoint that returns information about
227
227
- `endpoint`: The user info endpoint for your OAuth 2.0 server, e.g. `/oauth2/userinfo`
228
228
- `auth_method` _(optional, default `bearer_access_token`)_: The authentication method to use. The only supported value is `bearer_access_token`.
229
229
- `response_content_type` _(optional, default `application/json`)_: The expected content type of the response. The only supported value is `application/json`.
230
+
- `response_map` _(optional)_: A map of keys and values to extract from the response. If no `response_map` is provided, the entire response will be extracted verbatim. Supports simple JSONPath expressions. Only applicable if `response_content_type` is `application/json`. See the [JSONPath reference](#jsonpath-expressions-in-response_map) for details on extracting values using JSONPath.
230
231
- `triggers`: Controls when the user info request is made.
231
232
- `on_token_grant`: If `true`, the user info request will be made when a token is granted. This is typically only once for each user, unless new scopes are granted.
232
233
- `on_token_refresh`: If `true`, the user info request will be made every time a token is refreshed.
@@ -272,17 +273,17 @@ auth:
272
273
- `auth_method` _(optional, default `client_secret_basic`)_: The authentication method to use for the token introspection request. Supported values are `client_secret_basic` and `bearer_access_token`.
273
274
- `request_content_type` _(optional, default `application/x-www-form-urlencoded`)_: The content type of the request body.
274
275
- `response_content_type` _(optional, default `application/json`)_: The content type of the response body.
275
-
- `response_map` _(required)_: A map of keys and values to extract from the response. Supports simple JSONPath expressions. Supported keys are `access_token`, `expires_in`, `refresh_token`, `scope`, and `token_type`.
276
+
- `response_map` _(required)_: A map of keys and values to extract from the response. Supported keys are `expires_in` and `scope`. Supports simple JSONPath expressions.
276
277
- `expiration_format` _(optional, default `absolute_unix_timestamp`)_: The format of the expiration time. Supported values are `absolute_unix_timestamp` and `relative_seconds`.
277
278
- `triggers` _(required)_: Controls when the token introspection request is made.
278
279
- `on_token_grant`: If `true`, the token introspection request will be made when a token is granted. This is typically only once for each user, unless new scopes are granted.
279
280
- `on_token_refresh`: If `true`, the token introspection request will be made every time a token is refreshed.
280
281
281
282
#### JSONPath expressions in `response_map`
282
283
283
-
In the `token_request`and `refresh_request` sections, you can optionally configure a `response_map`. Configuring a response map is useful if your OAuth 2.0 server returns a JSON object with nested properties, or properties with non-standard names.
284
+
In the `token_request`, `refresh_request`, `token_introspection_request`, and `user_info_request` sections, you can specify a `response_map`. Configuring a response map is useful if your OAuth 2.0 server returns a JSON object with nested properties, or properties with non-standard names.
284
285
285
-
The typical JSON payload that most OAuth 2.0 servers return looks like this:
286
+
For example, for the token request, most OAuth 2.0 servers return a JSON payload that looks like this:
286
287
287
288
```json
288
289
{
@@ -293,7 +294,7 @@ The typical JSON payload that most OAuth 2.0 servers return looks like this:
293
294
}
294
295
```
295
296
296
-
If your server returns a payload that looks like this, you don't need `response_map`.
297
+
If your server returns a payload of this shape, you don't need `response_map`!
297
298
298
299
But if your server returns:
299
300
@@ -308,18 +309,18 @@ But if your server returns:
308
309
}
309
310
```
310
311
311
-
Then you need to configure `response_map` to extract the properties from inside the `data` object. Use [JSONPath](https://en.wikipedia.org/wiki/JSONPath) expressions to select the properties you need:
312
+
Then you need to configure `response_map` to extract the nested properties from inside the `data` object. Use [JSONPath](https://en.wikipedia.org/wiki/JSONPath) expressions to select the properties you need:
312
313
313
314
```yaml
314
-
token_request: # or refresh_request
315
+
token_request:
315
316
response_map:
316
317
access_token: "$.data.access_token"
317
318
expires_in: "$.data.expires_in"
318
319
refresh_token: "$.data.refresh_token" # Only needed if refresh tokens are used
319
320
scope: "$.data.scope" # Only needed if scopes are used
320
321
```
321
322
322
-
Not all OAuth 2.0 servers support refresh tokens, or use scopes. The only required properties are `access_token` and `expires_in`.
323
+
Similarly, for user info or token introspection requests, you can use `response_map` to extract custom properties from the response.
323
324
324
325
#### Handling scope arrays
325
326
@@ -395,7 +396,7 @@ Here's a full example of the YAML configuration for a custom OAuth 2.0 provider:
395
396
396
397
<ToggleContent showText="Click to view example" hideText="Hide example">
To connect to OpenTelemetry compatible collectors, set the necessary [OpenTelemetry environment variables](https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/) in the `engine.env` file.
195
195
`environment`and `version` are fields that are added to the telemetry attributes, which can be filtered on later.
0 commit comments