API gateway handles oauth2 authentication seamlessly that means when an access token expires while the refresh token is provided. It will automatically make a request to acquire another access token to be used until its next expiration date is due. It also depends on which grant type is being used.
It uses authorization code to exchange for an access token by confidential and public clients. To use this grant type, it requires to provide the code for us to handle it seamlessly.
It doesn't need the context of a user to acquire an access token. It is best used by clients to access resources about themselves.
It requires the client to acquire an access token directly.
It requires username and password to acquire an access token.
- Access Token Name The name of access token parameter. (ex. access_token)
- Access Token URL The endpoint to get the access token. (ex. example.com/oauth)
- Refresh Token Name The name of refresh token parameter. (ex. refresh_token)
- Refresh Token URL The endpoint to get the access token by using refresh token. (ex. example.com/oauth/refresh)
- Expires In Name The name of expires in parameter. (ex. expires_in)
- Callback URL The callback URLs, also known as redirect URIs, tell the server where to send the user with the proper tokens after authentication. (ex. redirect.com)
- Auth URL The endpoint to get the authorization code. (ex. example.com/auth)
- Client ID The client id is a public identifier for apps.
- Client Password The client secret is a secret known only to the application and the authorization server
- Scope The scope of the access request. Separate by comma (,).
- State The state parameter preserves some state objects set by the client in the Authorization request and makes it available to the client in the response.
- Code The code is the authorization code generated by the authorization server. This code is relatively short-lived, typically lasting between 1 to 10 minutes depending on the OAuth service.
- Username (Password grant only) The username uses for credentials.
- Password (Password grant only) The password uses for credentials.
- Client authentication The usage of access token to your request.
- Default Automatically determine which method to use based from response token_type.
- Header Injects the credentials in request header.
- Query parameter Injects the credentials in query parameter.