This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

400 in the oauth2 proxy when a user doesn’t submit scope

Posted on 02-22-2022 03:55 PM
Richa15
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I want to check in apigee edge if no scope is passed in the token request how can I raise fault and add it to the flow? I am new to apigee edge any help would be appreciated thanks

0 3 393
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

According to RFC 6749, which defines OAuth V2.0, both the authorization and the token endpoints accept an optional scope parameter.

screenshot-20220222-194704.png

The authorization endpoint is a GET request, the token endpoint accepts a POST request. The spec says that for the authorization endpoint, the scope param should be a query parameter. The spec does not suggest how to pass the scope param into the token endpoint, but since the spec does say that all the other required and optional parameters sent into the token endpoint are form parameters, it would make sense for the optional scope to also be a form parameter in the token request.

You said

if no scope is passed in the token request how can I raise fault and add it to the flow?

...so I'm assuming that the request you're talking about is to the token endpoint, hence the scope param would be a form parameter.

Therefore you need something like this in your flow:

 

<Step>
  <Condition>request.formparam.scope = null</Condition>
  <Name>RF-Invalid-Request</Name>
</Step>
<Step>
  <Name>OAuthV2-GenerateAccessToken</Name>
</Step>

 

0 Likes

Posted on --/--/---- --:-- AM
Richa15
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

According, to what you suggested I would like to add that my business requirement is a bit different where we source our tokens from okra and scopes are technically required so we should get an error if they don’t request any. So, according to this how should I raise fault and can I use request.content to check in the token flow?

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to Richa15
Reply posted on --/--/---- --:-- AM

I don't know.  I dont know how you have Okta connected to your Apigee. I don't know what the requests look like.  

So the best I can do without further details is give you a general answer: Depending on where the "scope" parameter is expected, you can check different things and use different syntax in the Condition in Apigee. 

 

Top Solution Authors
View all