We discuss a few advanced configuration properties. Please refer to the plugin descriptions for more details.
Allowing access tokens to be sent to URLs chosen by the caller
The sample configuration limits the allowed URLs where the access token may be sent to exactly one URL, namely "https://this.is.your.redirect.url/". You can allow additional URLs by relaxing the patterns in the target application.
For example, you can define:
- URL Pattern:
- Application Entry URLs:
https://this\.is\.your\.redirect\.url/.*
https://this\.is\.your\.redirect\.url/.*
to allow the token to be issued to :
https://this.is.your.redirect.url/sendToken/toThisSublocation
In this case, the client would have to use "redirect_uri=https%3A%2F%2Fthis.is.your.redirect.url%2FsendToken%2FtoThisSublocation" in the initial request.
Choose the Redirect URL with Care
It is highly important that the redirect URL is validated properly. Thus, the "URL Pattern" and the "Application Entry URLs" must be chosen carefully. Otherwise, this might allow attacks that leak access tokens to the attacker by choosing, e.g., "www.attacker.com" as redirect location. Also remember to always escape any dots in patterns with \. to make sure it doesn't match any character. Otherwise, in the abovementioned example, an attacker could easily set the redirect_uri to "https://thisZisZyourZredirect.url/".
Dealing with multiple OAuth 2.0 clients
It is possible to configure several target applications, each with its own "OAuth 2.0 Implicit Grant Identity Propagator" and Client ID. The configuration is analogous to the example above.
Additional OAuth 2.0 features
For additional features, we refer to the plugin documentation.
In particular, the following features are also supported for the Implicit Grant:
- A Resource Endpoint can be configured. The configuration is analogous as in the Authorization Code Grant, see OAuth AS configuration - client-centric.
- A Token Introspection Endpoint can be configured, please refer to OAuth 2.0 Token Introspection Endpoint (client-centric).