This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Custom Attributes when Display=False - VerifyToken does not pick them up

Posted on 03-28-2018 12:55 AM
pradeepshanmugh
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi there,

I am using the Authorization Code flow.

Endpoints

  • authorize - redirects to my login page
    • (Verify Key + 302 redirect via Raise Fault)
  • code - my login page calls this to create an auth code against a set of claims (Attributes)
    • Apigee generates an Authorisation Code and 302's to the redirect_uri with the AuthCode
      • oAuthV2Policy - GenerateAuthorizationCode Operation
  • token - the third party calls this with the AuthCode and gets tokens
    • oAuthV2 policy - GenerateAccessTokens Operation

Everything works fine, till I want to hide my claims (Custom Attributes) in the Token Response.

I am using 

 <OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-1">
    <DisplayName>GenerateToken</DisplayName>
    <Operation>GenerateAccessToken</Operation>
<Attributes>
<Attribute name="myClaim1" display="false"/>
....
</Attributes>
...
<GenerateResponse enabled="true"/>
    <Tokens/>
</OAuthV2>

The result in Postman is that my custom attributes are indeed hidden as I get my Access Tokens

However when I try to consume a resource - the VerifyAccessToken policy - verifies the token - but my custom attributes are unavailable!

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="verify-oauth-v2-access-token">
    <DisplayName>Verify OAuth v2.0 Access Token</DisplayName>
    <Operation>VerifyAccessToken</Operation>
</OAuthV2>


I then try to read my claims out in the Pre Flow of the Target Endpoint

 var myClaim1 = context.getVariable("accesstoken.myClaim1");

Nothing is returned.

If I stop hiding my claims (or custom attributes) then it works fine and I am able to see my claim as a variable of the accessToken in the PreFlow of the Target Endpoint

Wondering if someone is able to assist in either replicating the issue / directing me where I am going wrong.

P.S:

The above approach of

  • embedding claims as attributes
  • hiding them on token generation / refresh
  • and reading them on Target Endpoint Preflow

; was working with a Password Flow but is not with the Authorization Flow. The difference being that the custom attributes were being embedded and set to display false previously with the GenerateAccessTokens Operation.

0 5 284
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Hi

Not sure about your problem, but for sure, this element:

<Attributes>
<Attribute name="myClaim1" display="false"/>
....
</Attributes>

...will always result in a blank or null value for myClaim1. There is no ref= .

There is no text value.

Can you check it?

Posted on --/--/---- --:-- AM
pradeepshanmugh
Bronze 4
Bronze 4
In response to DChiesa
Reply posted on --/--/---- --:-- AM

Hi @Dino,

Here is what I am trying to do:

Flow : /code

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateAuthCode">
    <DisplayName>GenerateAuthCode</DisplayName>
    <Properties/>
    <Attributes>
        <Attribute name="myClaim1" ref="request.formparam.myClaim1"/>
    </Attributes>
    <ExternalAuthorization>false</ExternalAuthorization>
    <Operation>GenerateAuthorizationCode</Operation>
    <SupportedGrantTypes/>
    <GenerateResponse enabled="true"/>
    <Tokens/>
</OAuthV2>

AIM : Bind a claim to the Auth Code that comes from the Form Param

It is my understanding that attributes that are embedded in the Authorization Code are meant to be available when minting an Access Token - is that not the case?

Flow :/token

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateToken">
    <DisplayName>GenerateToken</DisplayName>
    <Operation>GenerateAccessToken</Operation>
    <ExpiresIn>900000</ExpiresIn>
    <RefreshTokenExpiresIn>3888000000</RefreshTokenExpiresIn>
    <SupportedGrantTypes>
        <GrantType>authorization_code</GrantType>
    </SupportedGrantTypes>
    <GrantType>request.queryparam.grant_type</GrantType>
    <Attributes>
            <Attribute name="myClaim1" display="false"/>
    </Attributes>
    <GenerateResponse enabled="true"/>
</OAuthV2>

AIM : Bind Claim in Auth Code to Token but not send it to the Calling App (third party)


Yes I am missing a ref attribute here - but unsure what it should be... maybe this is where I am going wrong?

Separate Resource Reverse-Proxy in Product:

/resource

Proxy Preflow

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="verify-oauth-v2-access-token">
    <DisplayName>Verify OAuth v2.0 Access Token</DisplayName>
    <Operation>VerifyAccessToken</Operation>
</OAuthV2>

Target Preflow

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Javascript async="false" continueOnError="false" enabled="true" timeLimit="200" name="GetDataFromToken">
    <DisplayName>GetDataFromToken</DisplayName>
    <Properties/>
    <ResourceURL>jsc://GetDataFromToken.js</ResourceURL>
</Javascript>

 var myCustomClaim = context.getVariable("accesstoken.myClaim1");

AIM : Retrieve Custom claim from Access Token and use it when calling the Resource

Any help is appreciated.

Thanks,

0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to pradeepshanmugh
Reply posted on --/--/---- --:-- AM

Yes - attributes that are attached to the code are automatically propagates to the access token when you generate the token. you do. not need to include <Attribute name="myclaim1"...> in the configuration for GenerateAccessToken.

I suspect that by including the element as you have, you are over-writing the value that would have been propagated automatically and implicitly.

Try it.

Try eliminating the <Attribute> element in the GenerateAccessToken policy.

0 Likes

Posted on --/--/---- --:-- AM
pradeepshanmugh
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

@Dino 's comment :

I suspect that by including the element as you have, you are over-writing the value that would have been propagated automatically and implicitly.

...

Try eliminating the <Attribute> element in the GenerateAccessToken policy.

; was correct.

The issue though was that removing the attribute in the GenerateAccessToken Policy made the attribute start to appear in the response - and i didn't want that.

Here is how I was able to solve it.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GetOAuthV2Info async="false" continueOnError="false" enabled="true" name="GetAuthCodeInfo">
    <DisplayName>GetAuthCodeInfo</DisplayName>
    <AuthorizationCode ref="request.formparam.code"/>
</GetOAuthV2Info>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateToken">
    <DisplayName>GenerateToken</DisplayName>
    <Operation>GenerateAccessToken</Operation>
    <ExpiresIn>900000</ExpiresIn>
    <RefreshTokenExpiresIn>3888000000</RefreshTokenExpiresIn>
    <SupportedGrantTypes>
        <GrantType>authorization_code</GrantType>
    </SupportedGrantTypes>
    <GrantType>request.formparam.grant_type</GrantType>
    <Attributes>
        <Attribute name="myClaim1" display="false" ref="oauthv2authcode.GetAuthCodeInfo.myClaim1"/>
    </Attributes>
    <GenerateResponse enabled="true"/>
</OAuthV2>

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to pradeepshanmugh
Reply posted on --/--/---- --:-- AM

Hi Pradeep

I'm glad that worked for you.

I also suspect that if you had attached "display='false'" on the original GenerateAuthorizationCode , the claim would propagate to the token during GenerateAccessToken, without need for GetOAuthV2Info.

0 Likes