Data Obfuscation Support

The REST Adapter supports the obfuscation of sensitive data, such as client ID, client secret, scopes, API key, and others when configuring the Authorization Request, Access Token Request, and Refresh Token Request fields for the OAuth Custom Three Legged Flow security policy and the Access Token Request and Refresh Token Request fields for the OAuth Custom Two Legged Flow security policy.

When creating the curl commands for these security policies on the Connections page, you may have data that you don't want to expose in clear text. For example, you may want to hide the client_secret value exposed in the curl command.

&client_secret=xxxasdfasdfadasdfasdfasdfasdfas

To hide this data, you can assign variables to your curl command parameters, such as &scope=${security_field_3}, &client_secret=${security_field_2}, &client_id=${security_field_1}, and others.

The following example shows the OAuth Custom Three Legged Flow security policy with assigned variables. You can follow a similar convention if using the OAuth Custom Two Legged Flow security policy.

The Security page shows a button for Provide Consent and fields for Security policy, Authorization Request, and Access Token Request. Below this is an Optional security section that can be expanded.

You then expand the Optional security section, and enter the actual values for these variables in obfuscated format.

The Security Field 1, Security Field 2, Security Field 3, and Security Field 4 fields are shown. The first three fields show obfuscated values.

Up to four security fields are supported:

${security_field_1}
${security_field_2}
${security_field_3}
${security_field_4}

Data obfuscation is an optional feature. You can use variables where you want and leave other parameter values in clear text format. You can also continue to leave all data in clear text format. The choice is yours. See Configure Connection Security.

Use Case 1

This use case shows how to obfuscate the api_key value with security_field_2 and client_secret value with security_field_1.

Without Security Fields With Security Fields

Without Security Fields	With Security Fields
Access token refresh: `-X POST https://auth.company.com/oauth/token?grant_type=authorization_code&code=${auth_code}&client_id=1234556789 &api_key=12345654321&client_secret=xxxasdfasdfadasdfasdfasdfasdfas&redirect_uri=${redirect_uri}`	Access token refresh: `-X POST https://auth.company.com/oauth/token?grant_type=authorization_code&code=${auth_code}&client_id=1234556789 &api_key=${security_field_2}&client_secret=${security_field_1}&redirect_uri=${redirect_uri}`
Refresh token request: `-X POST https://auth.company.com/oauth/token?grant_type=refresh_token&refresh_token=${refresh_token} &client_id=1234556789&client_secret=xxxasdfasdfadasdfasdfasdfasdfas`	Refresh token request: `-X POST https://auth.company.com/oauth/token?grant_type=refresh_token&refresh_token=${refresh_token} &client_id=1234556789&client_secret=${security_field_1}`

Access token refresh:

-X POST https://auth.company.com/oauth/token?grant_type=authorization_code&code=${auth_code}&client_id=1234556789
&api_key=12345654321&client_secret=xxxasdfasdfadasdfasdfasdfasdfas&redirect_uri=${redirect_uri}

Access token refresh:

-X POST https://auth.company.com/oauth/token?grant_type=authorization_code&code=${auth_code}&client_id=1234556789
&api_key=${security_field_2}&client_secret=${security_field_1}&redirect_uri=${redirect_uri}

Refresh token request:

-X POST https://auth.company.com/oauth/token?grant_type=refresh_token&refresh_token=${refresh_token}
&client_id=1234556789&client_secret=xxxasdfasdfadasdfasdfasdfasdfas

Refresh token request:

-X POST https://auth.company.com/oauth/token?grant_type=refresh_token&refresh_token=${refresh_token}
&client_id=1234556789&client_secret=${security_field_1}

Use Case 2

This use case also shows how to obfuscate the api_key with security_field_2 and client_secret with security_field_1.

Without Security Fields With Security Fields

Without Security Fields	With Security Fields
Access token request: `-X POST https://auth.company.com/oauth/token?grant_type=authorization_code&code=${auth_code} &client_id=1234556789&api_key=12345654321&client_secret=xxxasdfasdfadasdfasdfasdfasdfas&redirect_uri=${redirect_uri}`	Access token request: `-X POST https://auth.company.com/oauth/token?grant_type=authorization_code&code=${auth_code} &client_id=1234556789&api_key=${security_field_2}&client_secret=${security_field_1}&redirect_uri=${redirect_uri}`
Refresh token request: `-X POST https://auth.bullhornstaffing.com/oauth/token?grant_type=refresh_token&refresh_token= ${refresh_token}&api_key=12345654321&client_id=1234556789&client_secret=xxxasdfasdfadasdfasdfasdfasdfas`	Refresh token request: `-X POST https://auth.bullhornstaffing.com/oauth/token?grant_type=refresh_token &refresh_token=${refresh_token}&client_id=1234556789&api_key=${security_field_2}&client_secret=${security_field_1}`

Access token request:

-X POST https://auth.company.com/oauth/token?grant_type=authorization_code&code=${auth_code}
&client_id=1234556789&api_key=12345654321&client_secret=xxxasdfasdfadasdfasdfasdfasdfas&redirect_uri=${redirect_uri}

Access token request:

-X POST https://auth.company.com/oauth/token?grant_type=authorization_code&code=${auth_code}
&client_id=1234556789&api_key=${security_field_2}&client_secret=${security_field_1}&redirect_uri=${redirect_uri}

Refresh token request:

-X POST https://auth.bullhornstaffing.com/oauth/token?grant_type=refresh_token&refresh_token=
${refresh_token}&api_key=12345654321&client_id=1234556789&client_secret=xxxasdfasdfadasdfasdfasdfasdfas

Refresh token request:

-X POST https://auth.bullhornstaffing.com/oauth/token?grant_type=refresh_token
&refresh_token=${refresh_token}&client_id=1234556789&api_key=${security_field_2}&client_secret=${security_field_1}

Use Case 3

This use case also shows how to obfuscate the api_key with security_field_2 the client_secret with security_field_1.

Without Security Fields With Security Fields

Without Security Fields	With Security Fields
Access token request: `-X -H 'account_password:${security_field_3}' POST https://auth.company.com/oauth/token?grant_type=authorization_code &code=${auth_code}&client_id=1234556789&api_key=12345654321&client_secret=xxxasdfasdfadasdfasdfasdfasdfas&redirect_uri=${redirect_uri}`	Access token request: `-X POST https://auth.company.com/oauth/token?grant_type=authorization_code &code=${auth_code}&client_id=1234556789&api_key=${security_field_2}&client_secret=${security_field_1}&redirect_uri=${redirect_uri}`

Access token request:

-X -H 'account_password:${security_field_3}' POST https://auth.company.com/oauth/token?grant_type=authorization_code
&code=${auth_code}&client_id=1234556789&api_key=12345654321&client_secret=xxxasdfasdfadasdfasdfasdfasdfas&redirect_uri=${redirect_uri}

Access token request:

-X POST https://auth.company.com/oauth/token?grant_type=authorization_code
&code=${auth_code}&client_id=1234556789&api_key=${security_field_2}&client_secret=${security_field_1}&redirect_uri=${redirect_uri}