Re: Error making an API call through postman for g...

Archie · 06-21-2022 04:43 AM

HI,

I am trying to make an API call through postman for generating access token with grant type "password", but getting error "{"ErrorCode" : "invalid_client", "Error" :"Client identifier is required"}", even I am passing username and password in body section and client_id and secret in request header.

<Flow name="Generate Access Token Password">
<Description>flow for generating access token using password grant type</Description>
<Request>
<Step>
<Name>OAuth_V2_Generate_Access_Token_Password</Name>
<Condition>(proxy.pathsuffix MatchesPath "/access_token_password") and (request.verb = "POST")</Condition>
</Step>
</Request>
<Response/>
</Flow>

Below is the Oauth policy I am using,

<Operation>GenerateAccessToken</Operation>
<SupportedGrantTypes>
<GrantType>password</GrantType>
</SupportedGrantTypes>
<GrantType>
<UserName>username</UserName>
<PassWord>password</PassWord>
</GrantType>
<GenerateResponse enabled="true"/>

dchiesa1

Several things that jump out at me:

The toplevel GrantType element is not a container element. Within GrantType you should specify the context variable that contains the grant type. usually this is request.formparam.grant_type
Related: UserName and PassWord should be top level elements. They likewise specify the names of context variables.

My configuration looks like this:

<OAuthV2 name='OAuthV2-Generate-token-password'>
  <Operation>GenerateAccessToken</Operation>
  <SupportedGrantTypes>
    <GrantType>password</GrantType>
  </SupportedGrantTypes>

  <!-- 2400000 = 40 minutes -->
  <ExpiresIn ref='flow.variable'>2400000</ExpiresIn>

  <!-- 691200000 = 8 days -->
  <RefreshTokenExpiresIn>691200000</RefreshTokenExpiresIn>

  <!-- name of CONTEXT VARIABLE that specifies the requested grant type -->
  <GrantType>request.formparam.grant_type</GrantType>

  <!-- names of CONTEXT VARIABLES that specify username and password -->
  <UserName>request.formparam.username</UserName>
  <PassWord>request.formparam.password</PassWord>

  <GenerateResponse enabled='true'/>
  <RFCCompliantRequestResponse>true</RFCCompliantRequestResponse>
</OAuthV2>

And when I invoke with curl like this, it works:

curl -X POST -i $endpoint/oauth2-pg/token \
  -d grant_type=password -d username=someone -d password=12345 \
  -u $client_id:$client_secret

Some notes:

The GrantType, UserName and PassWord elements are optional. The values they use in this configuration are the same as the default values. You need them only if you want to use different form parameter names, or if you retrieve the values from some other context variable.
the Apigee OAuth2 policy does not validate the username and password. It is up to you to validate the username and password against some (presumably external) store. Only after you do that, should you invoke the GenerateAccessToken policy.

API-Evangelist

While you are referring to dino's detailed reply to get it resolved.. Just FYI and Because the Resource Owner Password (ROP) Flow involves the application handling the user's password, it must not be used by third-party clients & is mostly used in cases where the app is highly trusted..

https://cloud.google.com/apigee/docs/api-platform/security/oauth/implementing-password-grant-type

General thought why not use different options for the use case (if possible) as password grant will be omitted in newer oauth 2.1 spec (its not yet published) but that's the future..

fyi:

https://oauth.net/2.1/

Error making an API call through postman for generating access token with grant type "password"