phantom_token_client_credential
The `phantom_token_client_credential` directive configures the base64-encoded client credentials for OAuth token introspection in the Phantom Token NGINX Module.
Description
The phantom_token_client_credential directive is essential for the Phantom Token NGINX Module, which implements the OAuth 2.0 Token Introspection standard by sending client credentials to the Curity Identity Server. This directive expects two parameters: a base64-encoded client ID and client secret pair. When a request comes in with a bearer token in the Authorization header, NGINX will extract this token and call the specified introspection endpoint using the client credentials set by this directive. If the introspection confirms a valid token, the corresponding JWT is extracted and forwarded to the backend services. If the token is invalid or absent, the module will deny access by returning a 401 Unauthorized response.
The argument for this directive should be provided in the form of base64 encoding, ensuring that both the client ID and the client secret remain securely transmitted during the introspection process. Proper usage of this directive is crucial since any mistake in the credentials can lead to failed authentication and authorization requests to the backend APIs. The overall operation of the module ensures that only requests with valid tokens can access protected resources, adhering to security best practices for microservices architecture.
Config Example
location /api {
phantom_token_client_credential base64_encoded_client_id:base64_encoded_client_secret;
phantom_token_introspection_endpoint http://introspection.endpoint.com;
}Ensure that the base64 client credentials are correctly encoded; incorrect encoding will lead to authentication failures.
Be cautious with sensitive information exposure; do not hard-code credentials in publicly accessible configurations.
Make sure the introspection endpoint is correctly configured and reachable, or requests may be denied due to failure to introspect the token.