Token-handler (Section)#
Path: /profiles/profile{id, type}/settings/apps-service/applications/application{id}/token-handler
The settings for a Token Handler application
Parameters#
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| single-page-application-base-url | uri | required | The domain that the Single Page Application (SPA) is served from, as base url of the SPA. This is needed to allow CORS requests from the SPA to the Token Handler service. | |
| backend-for-frontend-parent-domain | string | optional | The parent domain of the backend-for-frontend (BFF) service. It will be set as the domain for the proxy cookie. This setting is only needed when OAuth Agent and BFF run on different subdomains. For example if the agent runs on ‘agent.example.com’, and the BFF runs on ‘bff.example.com’, then this setting must be ‘example.com’. This is required to share the proxy cookie between the agent and the BFF service. | |
| cookie-prefix | string | optional | th- | The prefix to use with cookies that are managed by Token Handler. Defaults to ‘th-’. |
| http-client | leafref | optional | The HTTP client that is used (e.g. to call the token endpoint). This client needs to be configured with a trust store, if specific TLS trust is needed to access the Authorization Server. If not defined, the default HTTP client is used. | |
| session-cookie-path | string | optional | The path to be set on the session cookie. If not set, the path to this token handler application will be used (/<app-anonymous-endpoint-path>/<application-id>). This needs to be set only when a proxy rewrites the path to this application. | |
| require-custom-header | boolean | optional | true | Require the ‘token-handler-version’ HTTP header on all token handler application endpoints to force CORS pre-flight requests. This strengthens the security of this token handler application. |
| proxy-type | enumeration | required | The proxy to be used with this token handler application. |
Subsections#
| Name | Type | Description |
|---|---|---|
| oauth-client | OneOf | None |
| proxy-keystore | Section | The elliptic-curve public key used to encrypt the proxy cookie. |
| authorization-parameters-whitelist | Section | None |
| refresh-parameters-whitelist | Section | None |