Hi there,
I am using the Authorization Code flow.
Endpoints
Everything works fine, till I want to hide my claims (Custom Attributes) in the Token Response.
I am using
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-1"> <DisplayName>GenerateToken</DisplayName> <Operation>GenerateAccessToken</Operation> <Attributes> <Attribute name="myClaim1" display="false"/> .... </Attributes> ... <GenerateResponse enabled="true"/> <Tokens/> </OAuthV2>
The result in Postman is that my custom attributes are indeed hidden as I get my Access Tokens
However when I try to consume a resource - the VerifyAccessToken policy - verifies the token - but my custom attributes are unavailable!
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <OAuthV2 async="false" continueOnError="false" enabled="true" name="verify-oauth-v2-access-token"> <DisplayName>Verify OAuth v2.0 Access Token</DisplayName> <Operation>VerifyAccessToken</Operation> </OAuthV2>
I then try to read my claims out in the Pre Flow of the Target Endpoint
var myClaim1 = context.getVariable("accesstoken.myClaim1");
Nothing is returned.
If I stop hiding my claims (or custom attributes) then it works fine and I am able to see my claim as a variable of the accessToken in the PreFlow of the Target Endpoint
Wondering if someone is able to assist in either replicating the issue / directing me where I am going wrong.
P.S:
The above approach of
; was working with a Password Flow but is not with the Authorization Flow. The difference being that the custom attributes were being embedded and set to display false previously with the GenerateAccessTokens Operation.
Hi
Not sure about your problem, but for sure, this element:
<Attributes> <Attribute name="myClaim1" display="false"/> .... </Attributes>
...will always result in a blank or null value for myClaim1. There is no ref= .
There is no text value.
Can you check it?
Hi @Dino,
Here is what I am trying to do:
Flow : /code
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateAuthCode"> <DisplayName>GenerateAuthCode</DisplayName> <Properties/> <Attributes> <Attribute name="myClaim1" ref="request.formparam.myClaim1"/> </Attributes> <ExternalAuthorization>false</ExternalAuthorization> <Operation>GenerateAuthorizationCode</Operation> <SupportedGrantTypes/> <GenerateResponse enabled="true"/> <Tokens/> </OAuthV2>
AIM : Bind a claim to the Auth Code that comes from the Form Param
It is my understanding that attributes that are embedded in the Authorization Code are meant to be available when minting an Access Token - is that not the case?
Flow :/token
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateToken"> <DisplayName>GenerateToken</DisplayName> <Operation>GenerateAccessToken</Operation> <ExpiresIn>900000</ExpiresIn> <RefreshTokenExpiresIn>3888000000</RefreshTokenExpiresIn> <SupportedGrantTypes> <GrantType>authorization_code</GrantType> </SupportedGrantTypes> <GrantType>request.queryparam.grant_type</GrantType> <Attributes> <Attribute name="myClaim1" display="false"/> </Attributes> <GenerateResponse enabled="true"/> </OAuthV2>
AIM : Bind Claim in Auth Code to Token but not send it to the Calling App (third party)
Yes I am missing a ref attribute here - but unsure what it should be... maybe this is where I am going wrong?
Separate Resource Reverse-Proxy in Product:
/resource
Proxy Preflow
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <OAuthV2 async="false" continueOnError="false" enabled="true" name="verify-oauth-v2-access-token"> <DisplayName>Verify OAuth v2.0 Access Token</DisplayName> <Operation>VerifyAccessToken</Operation> </OAuthV2>
Target Preflow
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Javascript async="false" continueOnError="false" enabled="true" timeLimit="200" name="GetDataFromToken"> <DisplayName>GetDataFromToken</DisplayName> <Properties/> <ResourceURL>jsc://GetDataFromToken.js</ResourceURL> </Javascript>
var myCustomClaim = context.getVariable("accesstoken.myClaim1");
AIM : Retrieve Custom claim from Access Token and use it when calling the Resource
Any help is appreciated.
Thanks,
Yes - attributes that are attached to the code are automatically propagates to the access token when you generate the token. you do. not need to include <Attribute name="myclaim1"...> in the configuration for GenerateAccessToken.
I suspect that by including the element as you have, you are over-writing the value that would have been propagated automatically and implicitly.
Try it.
Try eliminating the <Attribute> element in the GenerateAccessToken policy.
@Dino 's comment :
I suspect that by including the element as you have, you are over-writing the value that would have been propagated automatically and implicitly.
...
Try eliminating the <Attribute> element in the GenerateAccessToken policy.
; was correct.
The issue though was that removing the attribute in the GenerateAccessToken Policy made the attribute start to appear in the response - and i didn't want that.
Here is how I was able to solve it.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <GetOAuthV2Info async="false" continueOnError="false" enabled="true" name="GetAuthCodeInfo"> <DisplayName>GetAuthCodeInfo</DisplayName> <AuthorizationCode ref="request.formparam.code"/> </GetOAuthV2Info>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateToken"> <DisplayName>GenerateToken</DisplayName> <Operation>GenerateAccessToken</Operation> <ExpiresIn>900000</ExpiresIn> <RefreshTokenExpiresIn>3888000000</RefreshTokenExpiresIn> <SupportedGrantTypes> <GrantType>authorization_code</GrantType> </SupportedGrantTypes> <GrantType>request.formparam.grant_type</GrantType> <Attributes> <Attribute name="myClaim1" display="false" ref="oauthv2authcode.GetAuthCodeInfo.myClaim1"/> </Attributes> <GenerateResponse enabled="true"/> </OAuthV2>
Hi Pradeep
I'm glad that worked for you.
I also suspect that if you had attached "display='false'" on the original GenerateAuthorizationCode , the claim would propagate to the token during GenerateAccessToken, without need for GetOAuthV2Info.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |