OTK Require OAuth 2.0 Token assertion failed

book

Article ID: 140546

calendar_today

Updated On:

Products

CA API Gateway API SECURITY STARTER PACK-7

Issue/Introduction

The following message was recorded in the Audit log.

 

NONE 3457c649096f7e74d5cba6d43e283f45 Gateway01 20191101 10:10:10.101 WARNING XyzAPI [/xyzapi/v1/*] Message was not processed: Assertion Falsified (600)

 

Usually the following message is expected and Code=-4 is shown in the Associated Logs.

 

2019-10-10T10:10:10.101+0900 INFO 868 com.l7tech.server.policy.assertion.ServerAuditDetailAssertion: -4: error: invalid_request, error_description: Access token does not exist (expired, revoked, replaced, unknown, ...). access_token='8d4b737f-0a04-4dda-a2c5-cec2eff8c4d4'

 

Are there any similar defects reported for API Gateway 9.4?

The "Custom Error Response" assertion is placed after the "OTK Require OAuth 2.0 Token" assertion but no error message was left by the assertion in the Audit log.

Cause

This is working as designed, not a defect.

Environment

Release : 9.4

Component : API GATEWAY

Resolution

The message "com.l7tech.server.policy.assertion.ServerAuditDetailAssertion: -4: error: invalid_request, error_description: Access token does not exist (expired, revoked, replaced, unknown, ...). access_token=..." won't be recorded by the "OTK Require OAuth 2.0 Token" assertion when no access_token is passed.

The purpose of the "Custom Error Response" assertion isn't logging, it was just triggered by the event "status 600 (Assertion Falsified)".