Skip to content

Common Features#

Below are common features in the Gluu OAuth and UMA plugins.

Phantom Token#

Some deployments require the use of a bearer token outside of the internal network and a JWT token within it. This phantom token approach is similar to a reverse proxy, adding a layer of insulation between external requests and the internal network.


This feature is available in both the gluu-oauth-auth and the gluu-uma-auth plugins. To configure phantom token feature, you just need to set pass_credentials='phantom_token' in plugin configuration.


Set access_token_as_jwt: false and rpt_as_jwt: false in client registration, otherwise client by default returns you access token as JWT.

Dynamic Resource Protection#

This feature is available for the gluu-oauth-pep and gluu-uma-pep plugins.


There are 3 elements to make more dynamic path registration and protection:

  • ? match anyone path element
  • ?? match zero or more path elements
  • {regexp} - match single path element against PCRE

The priority for the elements are:

  1. Exact match
  2. Regexp match
  3. ?
  4. ??


A slash(/) is required before multiple wildcards placeholders.


A ? in the HTTP method allows all HTTP methods.


You can use this elements to register more dynamic path for required_acrs_expression in gluu-openid-connect


Assume that all paths below are registered in one plugin:

Register Path Allow path Deny path
  • /folder/file.ext
  • /folder/file2
  • Allow all the paths
  • /folder/file.ext
  • /folder/file
  • /folder/123/file
  • /folder/xxx/file
  • /path/
  • /path/xxx
  • /path/xxx/yyy/file
  • /path - Need slash at last
  • /path/one/two/image.jpg
  • /path/image.jpg
  • /path/xxx/image.jpg - ? has higher priority than ??
  • /path/abc/image.jpg
  • /path/xyz/image.jpg
  • /users/123/todos
  • /users/xxx/photos
  • /users/123/todos/
  • /users/123/todos/321
  • /users/123/photos/321