StandardOauth2AccessTokenProvider

Description:

Provides OAuth 2.0 access tokens that can be used as Bearer authorization header in HTTP requests. Can use either Resource Owner Password Credentials Grant or Client Credentials Grant. Client authentication can be done with either HTTP Basic authentication or in the request body.

Tags:

oauth2, provider, authorization, access token, http

Properties:

In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values, and whether a property supports the NiFi Expression Language.

Display NameAPI NameDefault ValueAllowable ValuesDescription
Authorization Server URLauthorization-server-urlThe URL of the authorization server that issues access tokens.
Supports Expression Language: true (will be evaluated using variable registry only)
Client Authentication Strategyclient-authentication-strategyREQUEST_BODY
  • REQUEST_BODY Send client authentication in request body. RFC 6749 Section 2.3.1 recommends Basic Authentication instead of request body.
  • BASIC_AUTHENTICATION Send client authentication using HTTP Basic authentication.
Strategy for authenticating the client against the OAuth2 token provider service.
Grant Typegrant-typeUser Password
  • User Password Resource Owner Password Credentials Grant. Used to access resources available to users. Requires username and password and usually Client ID and Client Secret.
  • Client Credentials Client Credentials Grant. Used to access resources available to clients. Requires Client ID and Client Secret.
  • Refresh Token Refresh Token Grant. Used to get fresh access tokens based on a previously acquired refresh token. Requires Client ID and Client Secret (apart from Refresh Token).
The OAuth2 Grant Type to be used when acquiring an access token.
Usernameservice-user-nameUsername on the service that is being accessed.
Supports Expression Language: true (will be evaluated using variable registry only)

This Property is only considered if the [Grant Type] Property has a value of "User Password".
Passwordservice-passwordPassword for the username on the service that is being accessed.
Sensitive Property: true

This Property is only considered if the [Grant Type] Property has a value of "User Password".
Refresh Tokenrefresh-tokenRefresh Token.
Sensitive Property: true
Supports Expression Language: true (will be evaluated using variable registry only)

This Property is only considered if the [Grant Type] Property has a value of "Refresh Token".
Client IDclient-idNo Description Provided.
Supports Expression Language: true (will be evaluated using variable registry only)
Client secretclient-secretNo Description Provided.
Sensitive Property: true

This Property is only considered if the [Client ID] Property has a value specified.
ScopescopeSpace-delimited, case-sensitive list of scopes of the access request (as per the OAuth 2.0 specification)
ResourceresourceResource URI for the access token request defined in RFC 8707 Section 2
AudienceaudienceAudience for the access token request defined in RFC 8693 Section 2.1
Refresh Windowrefresh-window0 sThe service will attempt to refresh tokens expiring within the refresh window, subtracting the configured duration from the token expiration.
SSL Context Servicessl-context-serviceController Service API:
SSLContextService
Implementations: StandardRestrictedSSLContextService
StandardSSLContextService
No Description Provided.
HTTP ProtocolsHTTP Protocolsh2 http/1.1
  • http/1.1 HTTP/1.1
  • h2 http/1.1 HTTP/2 and HTTP/1.1 negotiated based on requested protocols
  • h2 HTTP/2
HTTP Protocols supported for Application Layer Protocol Negotiation with TLS

This Property is only considered if the [SSL Context Service] Property has a value specified.

State management:

This component does not store state.

Restricted:

This component is not restricted.

System Resource Considerations:

None specified.