This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Converting Apigee OAuth2 token to JWT access token

Posted on 12-08-2021 10:50 PM
nishucs667
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello everyone,

I am looking for information on how I can convert a Apigee OAuth2.0 access token to JWT token.

This Apigee OAuth2.0 access token has been created from OKTA JWT token using OA2 policy.

Now I trying to find a way to go in reverse way to get the Okta Jwt token from this Apigee access token.

Someone pls share info if it is possible.

Thanks

 

0 1 874
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I am looking for information on how I can convert a Apigee OAuth2.0 access token to JWT token.

In the general case, it is not possible to do that. These types of tokens are not informationally equivalent. An Apigee OAuth2 token is generally opaque; a JWT is not. They are not mutually convertible to each other.

This Apigee OAuth2.0 access token has been created from OKTA JWT token using OA2 policy.

I think I understand what you're saying, but ... the way you're saying it conveys a misleading idea. It is not possible to "create an Apigee OAuth2 token from an OKTA JWT". There is no operation in Apigee which creates a token "from" an Okta-generated JWT. It is possible for you to create an Apigee proxy which accepts an Okta-generated JWT and generates an OAuth2 token. But any informational relationship between the two tokens is something YOU manage and design. It's not inherent in the Apigee token itself.

To get a little more concrete, you might have an API proxy that accepts an Okta-generated JWT inbound and does this:

  • VerifyJWT - check that the token is valid, issued and signed by Okta, not expired, has the expected audience, etc.
  • VerifyAPIKey - assuming that there is a claim in the signed token that represents an Apigee-known client id, you can use VerifyAPIKey to validate that client id and then retrieve the metadata associated to the client app.
  • Using THAT information you could extract the client secret, and then pass the id and secret to the BasicAuthentication policy to create a Basic auth header
  • OAuthV2/GenerateAccessToken with grant_type=client_credentials. This will look at the basic auth header and emit a token.

You COULD do something like that.

There's no general way to get the original Okta-issued JWT though.

Now, as you know from reading the documentation on the OAuthV2/GenerateAccessToken operation, it is possible for you to configure the policy to attach "custom attributes" to the token that Apigee generates. These can be strings of any value. I think there might be a length limit, check the limits documentation to find out. (Google for "Apigee limits"). Anyway, in theory you could attach the Okta-generated JWT as a custom attribute on the Apigee-issued opaque access token. That tells Apigee to store the JWT in the token database. When a client then presents that Apigee-issued opaque token, an API proxy that invokes OAuthV2/VerifyAccessToken will retrieve all the metadata associated to the token (product authorization, expiry, etc) as well as any custom attributes. So you could retrieve the original JWT in this way.

But it would be up to you to configure your token-issuing proxy to store the JWT, at the time of token generation. And I wouldn't describe this approach as "converting" an opaque Apigee-issued token to an Okta-issued JWT. There's no conversion. It's just storage and lookup.

HTH

0 Likes
Top Solution Authors
View all