Instead of using Cache policy, can we use custom attributes like code challenge, code challenge type etc embbeded into the auth code and then checking them back during the POST request to generate the token using auth code, code verifier?

Thanks,

Anand

@Dino @Dino-at-Google Can we use the above approach, highlighted by @Anand Gururaja , where code_challenge store as a custom attribute in code flow and later /token flow just use attribute (code_challenge) to verify ?
Please suggest

Yes, I think that is a good idea. ...

@Dino-at-Google I just browsed through the repo implementation, and stumbled over:

    <Flow name="token">
              <!--
                  The app uses this request to exchange the code for a token.
                  Example:
      
                  POST /devjam3/oauth2-ac/token?
                    grant_type=authorization_code
                    &client_id=wlq93FiqTw1si09wsocM7AjOBSbyi4
                    &client_secret=78djdkdjdkjd<br>

And indeed, I can't get it to work if I don't pass a client_secret. However, if I get RFC 7636 correctly, the whole point of PKCE is to avoid distributing client secrets to public clients (where PKCE provides means to protect specific attacks).

Hence, I tried setting ExternalAuthorization to true in the OAuth2 policy (following the docs) in order to avoid the client secret (that I don't want to include in the request) being checked. Due to some magic that still seems to happen, I keep ending up with HTTP 500 and the following error:

{"fault":{"faultstring":"Invalid client identifier {0}","detail":{"errorcode":"oauth.v2.InvalidClientIdentifier"}}}<br>

I double-checked that the client_id parameter is still passed and a valid API key. If I set oauth_external_authorization_status to true, the error I'm receiving is upgraded to:

{"fault":{"faultstring":"Invalid access token","detail":{"errorcode":"oauth.v2.InvalidAccessToken"}}}

Is there any specific setting that skips client authentication (using client_secret), but still generates an access token? I think that would be a plausible addition to the example repo.

Br,
Dominik

Yes, good point.

PKCE attempts to avoid the requirement to pass secrets. And in fact the client_secret here need not be secret. It's redundant.

Unfortunately, The Apigee OAuthV2 policy requires a client_secret when Operation=GenerateAccessToken. There is no way, currently, to configure the Apigee policy to use PKCE which does not require the client_secret.

In the non-PKCE flow, the client app passes the client_secret and the policy within the API Proxy just references it through a context variable. In the PKCE flow, we don't NEED it. My implementation was ... ok, let me just say it... sloppy.

The way to correct this in the implementation is, within the API Proxy, to use an AccessEntity policy to retrieve the client_secret for the client_id that is passed in. Then reference THAT client_secret.

I'll modify the repo. and post-back when it's ready.

Thanks for the quick reply! I worked around it meanwhile by setting the oauth_external_authorization_status variable to true in an AssignMessage policy, and the

ExternalAuthorizationCode element to request.formparam.code in the OAuthV2 policy. Since the auth code is dumped anyway (as opposed to ExternalAccessToken), it doesn't really hurt.

Using AccessEntity to fetch the client_secret would have been my fallback solution 🙂

Oh and just to add the detail: I've also added the client_id as a key fragment along with the auth code. So I can be pretty sure that it is valid at the point I'm generating the access token, and set the oauth_external_authorization_status with some confidence.

OK, I've updated the repo so that redemption of code-for-token does not require the client_secret. Check it out.

(I have not updated the screencast)

Hi Dino,

We are unable to deploy the proxy which is attached in the GitHub https://github.com/DinoChiesa/Edge-OAuthV2-PKCE-Proxy

Also when you are doing a POST to exchange the code and verifier for a token we have to pass clientsecret in the POSTMAN. Is there a way to avoid it in PKCE ?

What's the problem with deployment? I haven't looked at that proxy in a while. It relies on Hosted Target, which I think perhaps is no longer supported. That could be the reason that it fails to deploy.

To answer your second question.... Is there a way to avoid passing clientsecret in postman? Yes. In Apigee you can do that. In fact I have modified the repo to not require the client secret. You can see that in the commit message of the most recent commit.

The trick is, OAuthV2/GenerateAccessToken requires a client secret. In fact the policy requires that the client id and client secret are encoded as a basic-auth Authorization header.

The proxy makes sure that happens, starting with just the client id. The way it works is, it uses the AccessEntity policy, referencing the clientid, to retrieve the client secret. Then it encodes the clientid and secret into a basic-auth header. This is the relevant section in the OAuthv2 proxy:

        <!-- get the client secret -->
        <Step>
          <Name>AE-App</Name>
        </Step>
        <Step>
          <Name>JS-ExtractClientSecret</Name>
        </Step>


        <Step>
          <Name>AM-SetRequiredParameters</Name>
        </Step>


 

If you have more questions on this, I suggest you start a new thread, a new question.

Thanks for the reply. Is if possible to have update proxy which is working based on PKCE as the one currently on Git is not getting deployed.

I'll see what I can do. What problem are you experiencing on deployment?

I ran below command using my ORG and ENV. I am using cloud apigee edge instance(https://apigee.com/login)

node ./provision.js -v -o praviningawale-eval -e test

It asks for username and password and then gives attached output.

script-output.png

Pravin, you're experiencing a networking problem. The likely problem is, you have a network firewall in place, which is restricting the nodejs script from connecting to api.enterprise.apigee.com . Often you will need to authenticate through an outbound firewall to be able to connect to external system. I suggest you connect with your networking experts to find out what you need to do to connect via that firewall.

To help sort out the firewall / networking issue, You could also try connecting outbound with curl, or other command-line tools. The issue is probably not limited to this particular nodejs script, nor to nodejs in general, nor to the particular external endpoint (api.enterprise.apigee.com), but to any command-line tool that attempts to connect with any external endpoint.

Your browser is probably set up to properly connect to the outside world through a forward proxy or firewall. You need something similar for the terminal, in order to allow you to use the command-line tool for this demo.

To add to Dinos comment, you will typically need to set the HTTPS_PROXY and HTTP_PROXY variables as described here.

Hi Dino,

Instead of opting for opening the firewall which itself will take us very long time I thought of manually configuring the proxy by creating all policies manually(though it took some time)

Looking at your proxy I have created few new proxies

I have create two proxies.

First proxy endpoint is oauth/authorize.

When I hit this end point with below request I get the Authcode in the browser itself. The redirect URL is not specified in the call and it uses which is configured in the APPS and it itself a login app.

curl --location --request GET 'https://abv-add-ingress.asasa.com/oauth/authorize?response_type=code&client_id=SSSDDFFFb6NCKN9sBG7TyEJAcZNHL3W1X7PviMYTT27&code_challenge=j_wjZ-C6GRtv7_asasajXZ9LqqgTWsvKGO_EaCyqI&code_challenge_method=S256'

Second Proxy end point is oauth2/token and below is CURL which returns the Access Token

curl --location --request POST 'https://abv-add-ingress.asasa.com/oauth2/token?grant_type=authorization_code' \

--header 'Content-Type: application/x-www-form-urlencoded' \

--header 'Authorization: Basic SASASASA2I2TkNLTjlzQkc3VHlFSkFjWk5ITDNXMVg3UHZpTVlUVDI3OmJFdXlsSDRlVks5UlEwNjZVYjNNQmxIbE5XSUd6dWVXYzlRN3hQVVJ5TnZvSW9KZmJzR283Z3FjblMzYTVOQXg=' \

--data-urlencode 'grant_type=authorization_code' \

--data-urlencode 'client_id=ASASASASNCKN9sBG7TyEJAcZNHL3W1X7PviMYTT27' \

--data-urlencode 'code=DSDS4D#' \

--data-urlencode 'code_verifier=SY3lZFZvCXJ0FtNOtFmTJN_3EXjiGa2oBDM1toppG52HYjsQs-dnCshySXFozm2IXJLGz8qYrs48xaCIcz_2x9G6CI6_CeI9n2ns54qDZQ3

My question here is how to combine both these two end points in the single proxy and store the code challenge from GET request and use in POST. I think you have used 'jsc://importJsonToContext.js' to get the context. Is this the same way we have to do. If you have sample proxy then please share it too.

Hi Pravin,

I didn't mean to say you'd need to CREATE a firewall, but rather that THERE IS a firewall, and you need to configure your terminal session to allow it to connect through it. This is analogous to configuring your browser to be able to connect through the corporate firewall. Often the browser configuration is done automatically for you, but the configuration for a shell prompt is not. Your corporate network security people would be able to advise. It's usually a very easy effort.

In any case, ...

Normally the /authorize and /token flows are part of the same API proxy bundle, and in the same Proxy Endpoint. I think the example I showed here for PKCE uses a single proxyendpoint for these requests.

So I would suggest that you did not need to create multiple distinct proxies, and the way to combine them is ... don't do that. Just create one.

Maybe follow the example in the github repo.

I think you have used 'jsc://importJsonToContext.js' to get the context.

That script ... yes, there is a context that is cached ... See CP-AuthorizationSession. The format of the data is json. The JSON just stores a bunch of information related to the session. That session is initiated during handling of /authorize , before redirecting to the login app.

The login-and-consent experience needs some of that information. The session proxyendpoint allows the login-and-consent experience to retrieve it.

The session information is also used when the login-and-consent experience generates an authcode.

The thing you asked about, importJsonToContext.js... is just a Javascript that takes a string JSON (which in this case the proxy retrieved from cache) and populates context variables with the data in the json. This allows subsequent policies to use the data that had been encoded in the JSON.

I suppose you will need something like this ... some sort of session ... to handle Authorization Code with PKCE.

Hi Dino,

As per your suggestion I have combine both the endpoints into a single proxy.

There is one issue I have been facing since then.

The proxy is failing at below step

<Step> <Name>RF-BadSession</Name>

<Condition>authtx = null</Condition>

</Step>

I tried to find out as to where this variable is getting set. I have checked all the AM policies and Cache Populate policy but could not find how and when this variable is set.

Can you please suggest.

https://github.com/DinoChiesa/Edge-OAuthV2-PKCE-Proxy/blob/ae0de6f67d04e2ae16be0bb59325de94ccb7b582/...

Denis,

I have looked at it earlier and it uses lookup cache policy. What I understand is that it should have a corresponding Populate Cache policy... isn't it ?

There exist one Populate Cache policy named 'CP-AuthorizationSession', but it does not store any variable named 'authtx'