This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Auth code and external call back URL

Posted on 11-21-2022 05:39 AM
vidhuisha
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi 

I have worked on the scenario where the application makes a call to apigee with code. And also aware of the scenario where apigee acts as the authorization server.

I am tryin to fetch the Authorization code from the query parameter of a callback URL (postman in this scenario) will i  be able to fetch this code if yes could you please help with the same.Thanks in advance

0 1 114
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM
@vidhuisha wrote:

I am tryin to fetch the Authorization code from the query parameter of a callback URL (postman in this scenario) will i be able to fetch this code if yes could you please help with the same.T

It sounds to me that you have an API proxy, and you're making a call, a request into that proxy, and there is a query parameter in the request, which contains a value (the authorization code). and you would like to retrieve, or examine, or extract the value of that query parameter. And you want to know if this is possible, and if so, how.

If my understanding of your question is correct, then the answer is YES, you can fetch the value of a query parameter within the context of an API proxy. It's very easy. Just reference the variable request.queryparam.PARAMNAME where PARAMNAME is replaced with the name of the query parameter. This is possible regardless of the meaning you attach to the query parameter. If it's an auth code, or a ticket ID, or a timespan, or whatever.... you retrieve it within the context of an API proxy the same way: by name of the query parameter.

Within the API proxy, you can reference that "context variable" in a variety of places:

Here's an example of referring to the query parameter in a Condition element: testing for its absence, and raising a fault in that case:

  <Flow name='f1'>
    <Request>
      <!-- raise a fault if the needed query param is absent --> 
      <Step>
        <Name>RF-Missing-Parameter</Name> <!-- a RaiseFault policy -->
        <Condition>request.queryparam.param1 = null</Condition>
      </Step>
       ...

In the OAuthV2 policy you might refer to the variable within the Code element: 

<OAuthV2 name="OAuthV2-Generate-Access-Token">
  <ExternalAuthorization>false</ExternalAuthorization>
  <Operation>GenerateAccessToken</Operation>

  <!-- 1800000 = 30 minutes -->
  <ExpiresIn>1800000</ExpiresIn>

  <!-- 691200000 = 8 days -->
  <RefreshTokenExpiresIn>691200000</RefreshTokenExpiresIn>

  <!-- To override the default code (a formparam) use the Code element -->
  <!-- https://cloud.google.com/apigee/docs/api-platform/reference/policies/oauthv2-policy#codeelement     -->
  <Code>request.queryparam.code</Code>

  <SupportedGrantTypes>
    <GrantType>authorization_code</GrantType>
  </SupportedGrantTypes>

  <GenerateResponse />
  <RFCCompliantRequestResponse>true</RFCCompliantRequestResponse>
</OAuthV2>

But I will make some other comments about your question. As I understand from the relevant part of the OAuthV2 specification (IETF RFC 6749 sec 4.1.3), when redeeming the auth code for a token, the code is supposed to be sent in a FORM parameter, not a query parameter.

If you are actually sending the code as a form parameter, and you simply misstated that you were using a query parameter, then .... you can use request.formparam.PARAMNAME to refer to the form parameter.

This is documented in the variables reference documentation page.

0 Likes