OAuth 2.0 OBO Credential Injection Policy

Policy Name

OAuth 2.0 OBO Credential Injection

Summary

Exchanges incoming bearer tokens using the OAuth 2.0 Token Exchange (RFC 8693) or Microsoft Entra ID On-Behalf-Of protocols

Category

Security

First Flex Gateway version available

v1.11.0

Returned Status Codes

No return codes exist for this policy. Error codes are returned from the upstream service.

Summary

The OAuth 2.0 On-Behalf-Of (OBO) Credential Injection policy exchanges an incoming bearer token for a new token to target specific upstream services. The policy supports OAuth 2.0 Token Exchange (RFC 8693) and Microsoft Entra ID On-Behalf-Of protocols. This policy is applied to outbound traffic (gateway to the backend service) to automatically exchange the OAuth 2.0 token needed for backend services.

The policy extracts the Bearer token from the incoming request’s Authorization header and sends a token exchange request to the token endpoint. The policy then replaces the Authorization header with the new token returned from the token exchange service and forwards the modified request to the backend service.

Configuring Policy Parameters

Flex Gateway Local Mode

The OAuth 2.0 OBO Credential Injection policy isn’t supported in Local Mode.

Managed Flex Gateway and Flex Gateway Connected Mode

When you apply the policy to your API instance from the UI, the following parameters are displayed:

Parameter Description

Parameter	Description
Token Exchange Flow	Token exchange flow: OAuth 2.0 Token Exchange (RFC 8693) or Microsoft Entra ID On-Behalf-Of.
Client ID	OAuth 2.0 client ID for token exchange.
Client Secret	OAuth 2.0 client secret for token exchange.
Token Endpoint	OAuth 2.0 token endpoint URL.
Target Type	Parameter type for specifying the target service. Required for OAuth 2.0 Token Exchange flow. Supported values: Audience: Logical identifier of the target service (default) Resource: Physical URI of the target resource (RFC 8707)
Target Value	Target audience URI or resource URI for the exchanged token. Required for OAuth 2.0 Token Exchange flow.
Scope	OAuth 2.0 scope to request. Required for Microsoft Entra OBO (for example, `api://downstream-client-id/.default`). Optional for OAuth 2.0 Token Exchange (RFC 8693).
Timeout	Timeout for token exchange requests in milliseconds. Default: 10000.

Token Exchange Flow

Token exchange flow: OAuth 2.0 Token Exchange (RFC 8693) or Microsoft Entra ID On-Behalf-Of.

Client ID

OAuth 2.0 client ID for token exchange.

Client Secret

OAuth 2.0 client secret for token exchange.

Token Endpoint

OAuth 2.0 token endpoint URL.

Target Type

Parameter type for specifying the target service. Required for OAuth 2.0 Token Exchange flow. Supported values:

Audience: Logical identifier of the target service (default)
Resource: Physical URI of the target resource (RFC 8707)

Target Value

Target audience URI or resource URI for the exchanged token. Required for OAuth 2.0 Token Exchange flow.

Scope

OAuth 2.0 scope to request. Required for Microsoft Entra OBO (for example, api://downstream-client-id/.default). Optional for OAuth 2.0 Token Exchange (RFC 8693).

Timeout

Timeout for token exchange requests in milliseconds. Default: 10000.