ACCESS_HEADER
The ACCESS_HEADER element defines a specific header used by an IdP for
the access token.
Syntax
<ACCESS_HEADER>x-header-name</ACCESS_HEADER>- x-header-name defines the header used by an IdP for the access token.
Child elements
There are no child elements.
Usage
The GeneroAccessService looks for the access token by default in the HTTP
Authorization header. If your Identity Provider or load balancer forwards the token
in a different header name (for example Amazon Cognito via an Application Load Balancer), you must
provide the GeneroAccessService with details of which header to inspect.
Add an
<ACCESS_HEADER> element to your service configuration file
(xcf) to specify the header name that carries the access token. - If
<ACCESS_HEADER>is present, theGeneroAccessServicewill read the token from the named header instead of the defaultAuthorization. - Header name comparison is case-insensitive, but the recommendation is to use lowercase.
Example: Application configuration file with access header
This is an example of an application configuration using delegation from Amazon Cognito behind
the Amazon load balancer, where the access token is forwarded via a HTTP header called
"x-amzn-oidc-accesstoken".
<?xml version="1.0" encoding="UTF-8" ?>
<APPLICATION Parent="ws.default"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://4js.com/ns/gas/6.00/cfextws.xsd">
<PATH>$(res.deployment.path)</PATH>
<MODULE>myservice</MODULE>
<DELEGATE service="services/GeneroAccessService">
<IDP>https://foobar.amazoncognito.com</IDP>
<ACCESS_HEADER>x-amzn-oidc-accesstoken</ACCESS_HEADER>
<SCOPE>email</SCOPE>
<CLIENT_PUBLIC_ID>XXXXXXXX.apps.myAmzIdpusercontent.com</CLIENT_PUBLIC_ID>
<CLIENT_SECRET_ID>XXXXXX-XXXXXX</CLIENT_SECRET_ID>
</DELEGATE>
</EXECUTION>
</APPLICATION>Parent elements
This element is a child of the DELEGATE element.