Solved: Getting odd "Missing Auth scheme" error from OAuth...

apigeeShortimer · 12-06-2022 05:27 PM

Hi I'm following this demo to setup a 3-legged OAuthV2 flow that uses a "authorization_code" grant type:

https://www.youtube.com/watch?v=4jcrLsapunQ

https://github.com/DinoChiesa/Edge-OAuthV2-PKCE-Proxy

I have setup 3 endpoints for authorize, authcode, and token flows.

When I call the token endpoint with the grant_type, code, client_id, code_verifier, redirect_uri, and scope properties I get this error:

{
    "fault": {
        "faultstring": "Missing Auth scheme",
        "detail": {
            "errorcode": "steps.oauth.v2.InvalidRequest"
        }
    }
}

When I trace I see the error is coming from this OAuthV2 policy:

<OAuthV2 continueOnError="false" name="OAuthV2-GenerateAccessToken">
	<GenerateResponse enabled='true'/>
	<Operation>GenerateAccessToken</Operation>
	<ExpiresIn>3600000</ExpiresIn> <!-- this is in milliseconds , try -1 for long lived token -->
	<SupportedGrantTypes>
		<GrantType>authorization_code</GrantType>
	</SupportedGrantTypes>
	<GrantType>request.formparam.grant_type</GrantType>
	<Code>request.formparam.code</Code>
	<ClientId>request.formparam.client_id</ClientId>
	<RedirectUri>request.formparam.redirect_uri</RedirectUri>
	<Scope>request.formparam.scope</Scope>
</OAuthV2>

I've also tried using this simpler version but get the same thing:

<OAuthV2 continueOnError="false" name="OAuthV2-GenerateAccessToken">
	<Operation>GenerateAccessToken</Operation>
	<ExpiresIn>3600000</ExpiresIn> <!-- this is in milliseconds , try -1 for long lived token -->
	<SupportedGrantTypes>
		<GrantType>authorization_code</GrantType>
	</SupportedGrantTypes>
  <GenerateResponse enabled='true'/>
</OAuthV2>

Any ideas why i'm getting this error? I tried a different example that uses the OAuthV2 policy with a password grant type and it works just fine (returns access_token, refresh_token, etc.). Any help would be appreciated!

dchiesa1

@apigeeShortimer wrote:

When I call the token endpoint with the grant_type, code, client_id, code_verifier, redirect_uri, and scope properties I get this error:

What is the specific request that is being sent into Apigee? The verb, path, headers, and form payload? The OAuthV2 policy will look at the inbound request, in particular the latter two things - headers and form payload.

In particular I am interested in the Authorization header. Normally it should contain something like

Basic <base64-encoded-blob-here>

The "Basic" prefix is case sensitive and is known as an auth scheme. It should be separated from the base64-encoded bit by a single space.

If I see an error like "missing auth scheme" my first guess will be: that keyword is missing from the Authorization header.

View solution in original post

dchiesa1

@apigeeShortimer wrote:

When I call the token endpoint with the grant_type, code, client_id, code_verifier, redirect_uri, and scope properties I get this error:

What is the specific request that is being sent into Apigee? The verb, path, headers, and form payload? The OAuthV2 policy will look at the inbound request, in particular the latter two things - headers and form payload.

In particular I am interested in the Authorization header. Normally it should contain something like

Basic <base64-encoded-blob-here>

The "Basic" prefix is case sensitive and is known as an auth scheme. It should be separated from the base64-encoded bit by a single space.

If I see an error like "missing auth scheme" my first guess will be: that keyword is missing from the Authorization header.

apigeeShortimer

Hi, this is similar to my request:

curl --location --request POST 'https://eval-group.11-22-33-44.nip.io/20181127/oauth2-ac-pkce/token' \
--header 'Authorization: Basic abc123' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=p4Lud0Zg' \
--data-urlencode 'code_verifier=PLr56jHcM49hcx53w5149VM575554Yg55iPPpjA49VC54hwbm54QxD54J56d57MeCJOckSl56aCJFpyv53wU49CMjrdy50bwnCo56lvvU5155' \
--data-urlencode 'client_id=abc123' \
--data-urlencode 'redirect_uri=https://somelandingpage.com?code=JZyUHIx2&scope=scope-01'
--data-urlencode 'scope=scope-01'

I am using the App's Key and Secret for the username and password in Basic auth.

apigeeShortimer

I also have this policy before the above policy:

<AssignMessage name="AM-SetRequiredParameters">
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <AssignVariable>
    <Name>request.formparam.redirect_uri</Name>
    <Ref>authtx_redirect_uri</Ref>
  </AssignVariable>

  <AssignVariable>
    <Name>composite</Name>
    <Template>{request.formparam.client_id}:{extracted_consumer_secret}</Template>
  </AssignVariable>

  <!-- Produce the "Basic Auth" header that OauthV2/GenerateAccessToken expects -->
  <AssignVariable>
    <Name>request.header.authorization</Name>
    <Template>{encodeBase64(composite)}</Template>
  </AssignVariable>

</AssignMessage>

During the trace I inspected the request.header.authorization variable in this step and it appeared to be the expected value.

apigeeShortimer

Ah ok and when i replace:

  <AssignVariable>
    <Name>request.header.authorization</Name>
    <Template>{encodeBase64(composite)}</Template>
  </AssignVariable>

above with:

 <AssignVariable>
    <Name>request.header.authorization</Name>
    <Template>Basic {encodeBase64(composite)}</Template>
  </AssignVariable>

I get an access_token, refresh_token, etc in the response! Thanks for helping me narrow in on the solution.

Getting odd "Missing Auth scheme" error from OAuthV2 GenerateAccessToken with authorization_code