![]() That should be obvious, but I'm telling you because you seem to be a little off-track with your ideas about ExtractVariables and so on. You don't need ExtractVariables or AssignMessage.īe aware that exposing an API proxy that does not have a VerifyAccessToken policy (or VerifyAPIKey, etc) means that any client can call it. The minimum WWW-Authenticate header includes the string Bearer, indicating that a bearer token is required. If you want to allow the client to send in a request that has no authorization, then. If the access token does not allow access to the requested resource, or if there is no access token in the request, then the server must reply with an HTTP 401 response and include a WWW-Authenticate header in the response. I don't see how those policies have anything to do with your stated goal. I asked somebody they said you can do this using Extract variable and Assign message policy. What is the point of dispensing a token to the client if the client won't subsequently use it? How will you then distinguish between authorized calls and anonymous calls if the client doesn't send a token? ![]() ![]() Generating a token and sending it back to the client, only to later. Required: Yes, when requesting an access code in the Authorization Grant with PKCE. Do not include a policy like VerifyAccessToken in your proxy. The /oauth2/accesstoken endpoint is the OAuth 2.0 token endpoint as. Yes, well, If you don't want to require authorization, then don't configure your apiproxy to require it. I want my client got response without authorization
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |