Hi Sue,
I'm pretty sure that Access Policies are only invoked for browser flows (e.g. /authorize) because their primary response (other than permit or deny) is to cause a redirect for authentication. That wouldn't make sense for an API caller at /token.
If you want to prevent an access token from being issued at /token you'll need to put this logic in the pre-token mapping rule. In that JavaScript context you should have access to the scope being requested so you can make the decision. If you want to stop processing I think you'd throw an exception which will cause an error response to be returned to the caller.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Thu September 09, 2021 07:08 AM
From: Sue BAYLISS
Subject: Can Access Policies be applied to OAuth token endpoint requests
I've created an Access Policy based on the OAuth 2.0 sample and added some IDMappingExtUtils.traceString("trace message"); lines. I've created an OpenID Connect and API Protection Definition and selected the Access Policy, and defined an associated client. I've deployed and published changes and restarted runtime docker container.
I can successfully obtain an OAuth 2.0 access token using /mga/sps/oauth/oauth20/token but the Access Policy is not driven (I enabled trace and don't see my custom trace messages in my access policy). I found an article with an example which showed Access Policy being driven for the authorization endpoint, so wondered if Access Policies are only applicable to those endpoints for OAuth 2.0.
My intent is to only allocate an access_token if the token request contains a limited set of scopes. Is this possible with Access Policies or should I use the Mapping Rules?
Thanks
------------------------------
Sue
------------------------------