Solved: Get attributes from invalid OAuth2 token

JudithKramp · 03-07-2023 01:40 AM

We have created a new API Proxy with OAuth2. Some Customers have no access to the API Proxy (API Product is not granted to the Developer App). When such a Customer tries our API, the OAuth2 validation fails with the following message: "Invalid API call as no apiproduct match found".

I would like to be able to retrieve the organization from the OAuth2 AccessToken, even though the token is invalid. Is there any way to do this?

I have tried the GetOAuthInfo policy before the VerifyAccessToken policy, hoping to be able to extract the AccessToken attributes. However, that policy also fails due to the invalid AccessToken.

dchiesa1

I would like to be able to retrieve the organization from the OAuth2 AccessToken, even though the token is invalid. Is there any way to do this?

No. It is not possible. In fact I think it might be better to say it is not sensible. I think what you are saying is, you are using opaque OAuth tokens, and the token is invalid, but you want to be able to get information about it anyway. What if I passed "BADDBABY" as a token value? It's invalid. OK, what is the organization? ??? It's not a sensible question. There is no information associated to "BADDBABY". In the general case, the question is not answerable.

But beyond that, the security model for Apigee allows you to ask the question "is THiS token valid for the current request?" and the answer is yes or no. If there is a YES, then the proxy gets additional information about the token, set into context variables. If the answer is NO, then you don't (your proxy doesn't) get that information. It just fails fast with "unauthorized". This is by design.

If you have a JWT (not an opaque token), then you can read the values in the JWT payload. If you validate the signature on the JWT, then you would be able to trust the values in the payload. But you didn't say anything about a JWT formatted token, so I'm assuming this does not apply to you.

View solution in original post

dchiesa1

I would like to be able to retrieve the organization from the OAuth2 AccessToken, even though the token is invalid. Is there any way to do this?

No. It is not possible. In fact I think it might be better to say it is not sensible. I think what you are saying is, you are using opaque OAuth tokens, and the token is invalid, but you want to be able to get information about it anyway. What if I passed "BADDBABY" as a token value? It's invalid. OK, what is the organization? ??? It's not a sensible question. There is no information associated to "BADDBABY". In the general case, the question is not answerable.

But beyond that, the security model for Apigee allows you to ask the question "is THiS token valid for the current request?" and the answer is yes or no. If there is a YES, then the proxy gets additional information about the token, set into context variables. If the answer is NO, then you don't (your proxy doesn't) get that information. It just fails fast with "unauthorized". This is by design.

If you have a JWT (not an opaque token), then you can read the values in the JWT payload. If you validate the signature on the JWT, then you would be able to trust the values in the payload. But you didn't say anything about a JWT formatted token, so I'm assuming this does not apply to you.