Manage Allowed Resource Indicators

Specifies the resources indicators that can be referenced by using the resource parameter. When you use the resource parameter and present your access token to a resource server, the server can introspect the token and see if it (the resource server) is included in the token’s audience claim. If it is, access can be granted. If it’s not, access can be denied.

See Audience Injection and the resource parameter for detailed information.

This endpoint supports the following methods:



GET


Description

Returns information about the resource indicators defined in the specified token policy. For example, the following token policy identifies urn:ietf:params:oauth:client_id:37a7bf21-9ac5-48c5-96b5-c2173debee26 as an allowed resource:

[
    "urn:ietf:params:oauth:client_id:37a7bf21-9ac5-48c5-96b5-c2173debee26"
]

URI Parameters

URI parameters that must be included in the request are listed in the following table:

Parameter

Type

Required

Description

{customerId}

String

Yes

Unique identifier of the organization associated with the token policy.

{tokenPolicyId}

String

Yes

Unique identifier for the token policy.


Authentication

This endpoint requires token-based authentication. To obtain an access token, you must employ a configuration client (using the client ID as the username and the client secret as the password) to access the /{customerId}/login/token endpoint. The access token returned from the token endpoint is then used in the Authorization header of your API call. For example, if you get back the access token Ki712dpGq5GPQcsxMHY6ShHY7wU_iTs0o9dPx4TEzf5yLIvddjnDVBJxjPDucf5YVB then your Authorization header will look like this when using Curl:

-H 'Authorization: Bearer Ki712dpGq5GPQcsxMHY6ShHY7wU_iTs0o9dPx4TEzf5yLIvddjnDVBJxjPDucf5YVB'

In Postman, set the Authorization Type to Bearer and use the access token as the value of the Token field.


Sample Request (curl)

The following command returns the allowed grant types found in token policy 5a1e3d0e-7a57-48ce-aa9c-b303345f5747:

curl -X GET \
'https://v1.api.us.janrain.com/e0a70b4f-1eef-4856-bcdb-f050fee66aae/config/tokenPolicies/5a1e3d0e-7a57-48ce-aa9c-b303345f5747/allowedResourceIndicators' \
  -H 'Authorization: Bearer dgqJbjCmon__P9OXLz5ulJtpS-jupleB-MBejblVMZHS8Nc-EeMSl91_b76WhtdA' 


Responses

200 OK

If your API call succeeds, you’ll get back a collection of the token policy's allowed resources:

[
    "urn:ietf:params:oauth:client_id:37a7bf21-9ac5-48c5-96b5-c2173debee26"
]


Error Response Codes

The following table includes information about some of the other response codes that you might encounter when calling this endpoint.

Response Code

Description

403

Forbidden. Typically occurs when you make a call using an invalid configuration token. This is usually because the token has expired (configuration tokens have a maximum lifetime of 1 hour). However, it’s also possible that the token wasn’t issued a scope capable of accessing push claim information. See the article API Security for Configuration for more information.

404

Not found. The specified token policy could not be found. This generally occurs because you referenced an invalid policy ID or customer ID when making your API call.




PUT

Back to top


Description

The PUT method enables you to specify the resources to be associated with a token policy. For example, this syntax configures urn:ietf:params:oauth:client_id:37a7bf21-9ac5-48c5-96b5-c2173debee26 as an allowed resource

[
    "urn:ietf:params:oauth:client_id:37a7bf21-9ac5-48c5-96b5-c2173debee26"
]

When updating a token policy's allowed resources, your API call must specify all the desired resources: that’s because the resources included in the body parameter replace the current set of allowed resources. For example, suppose your token policy currently contains this resource

  • urn:ietf:params:oauth:client_id:20b3c1e3-9798-4cfb-aa5c-080c9ccb677a

Because you want to add urn:ietf:params:oauth:client_id:37a7bf21-9ac5-48c5-96b5-c2173debee26 to the set of allowed resources, you use a body parameter that looks like this:

[
    "urn:ietf:params:oauth:client_id:37a7bf21-9ac5-48c5-96b5-c2173debee26"
]

After you make your API call, your token policy will contain the following set of allowed resources:

  • urn:ietf:params:oauth:client_id:37a7bf21-9ac5-48c5-96b5-c2173debee26

What happened to your other resource, the one defined in the token policy before you made the API cal? That resource has disappeared, because it (i.e., your previous set of allowed resources) has been replaced by the new resource specified in the API call. To add a resource to the allowed resources list your body parameter must include your existing resources as well as any new resources being added to the policy:

[
    "urn:ietf:params:oauth:client_id:37a7bf21-9ac5-48c5-96b5-c2173debee26",
    "urn:ietf:params:oauth:client_id:20b3c1e3-9798-4cfb-aa5c-080c9ccb677a"
]

In addition to that, be sure you format your request as an array (that is, enclose your list of of resources within square brackets). For example, suppose your body parameter looks like this:

"urn:ietf:params:oauth:client_id:37a7bf21-9ac5-48c5-96b5-c2173debee26"

In that case, your API call will fail an error similar to this:

{
  "errors": "urn:ietf:params:oauth:client_id:37a7bf21-9ac5-48c5-96b5-c2173debee26" cannot be stored in type []string: json: cannot unmarshal string into Go value of type []string"
}


URI Parameters

URI parameters that must be included in the request are listed in the following table:

Parameter

Type

Required

Description

{customerId}

string

Yes

Unique identifier of the organization associated with the token policy.

{tokenPolicyId}

string

Yes

Unique identifier for the token policy.


Authentication

This endpoint requires token-based authentication. To obtain an access token, you must employ a configuration client (using the client ID as the username and the client secret as the password) to access the /{customerId}/login/token endpoint. The access token returned from the token endpoint is then used in the Authorization header of your API call. For example, if you get back the access token Ki712dpGq5GPQcsxMHY6ShHY7wU_iTs0o9dPx4TEzf5yLIvddjnDVBJxjPDucf5YVB then your Authorization header will look like this when using Curl:

-H 'Authorization: Bearer Ki712dpGq5GPQcsxMHY6ShHY7wU_iTs0o9dPx4TEzf5yLIvddjnDVBJxjPDucf5YVB'

In Postman, set the Authorization Type to Bearer and use the access token as the value of the Token field.


Sample Request (curl)

The following command sets the allowed resources for token policy 5a1e3d0e-7a57-48ce-aa9c-b303345f5747:

curl -X GET \
'https://v1.api.us.janrain.com/e0a70b4f-1eef-4856-bcdb-f050fee66aae/config/tokenPolicies/5a1e3d0e-7a57-48ce-aa9c-b303345f5747/allowedGrantTypes' \
-H 'Authorization: Bearer dgqJbjCmon__P9OXLz5ulJtpS-jupleB-MBejblVMZHS8Nc-EeMSl91_b76WhtdA' \
-H 'Content-Type: application/json' \
--data-raw '[
    "urn:ietf:params:oauth:client_id:37a7bf21-9ac5-48c5-96b5-c2173debee26"]
]'

To remove all the resources from a token policy, simply set the body parameter to an empty array:

[]

Responses

200 OK

If your API call succeeds you’ll get back a collection containing all the allowed resources for the token policy:

[
    "urn:ietf:params:oauth:client_id:37a7bf21-9ac5-48c5-96b5-c2173debee26"
]


Error Response Codes

The following table includes information about some of the other response codes that you might encounter when calling this endpoint.

Response Code

Description

403

Forbidden. Typically occurs when you make a call using an invalid configuration token. This is usually because the token has expired (configuration tokens have a maximum lifetime of 1 hour). However, it’s also possible that the token wasn’t issued a scope capable of accessing grant type information. See the article API Security for Configuration for more information.

404

Not found. The specified token policy could not be found. This generally occurs because you referenced an invalid policy ID or customer ID when making your API call.

422

Unprocessable entity. Typically occurs if your body parameter isn't formatted using JSON.