This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How can i use External authorization token that works with backend successfully?

Posted on 05-15-2022 09:30 AM
devmego99
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I created proxy and and product and App
and added these below policies in conditional flow to make external authorization (from backend) using apigee oauth2 policy with client credential or password grant types

let me know how can generate token from apigee that can be send to backend and works ok (this point not clear with me because the generated token from apigee not same as token from backend)



 

 

 

2-

 

 

<BasicAuthentication name="BA-Encode-Credentials">
  <DisplayName>BA-Encode-Credentials</DisplayName>
  <Operation>Encode</Operation>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <User ref="request.header.username"/>
  <Password ref="request.header.password"/>
  <AssignTo createNew="false">request.header.Authorization</AssignTo>
</BasicAuthentication>

 

 

3-

 

 

<BasicAuthentication name="BA-Extract-User-Password">
  <DisplayName>BA-Extract-User-Password</DisplayName>
  <Operation>Decode</Operation>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <!-- <User ref="request.header.username"/> -->
  <User ref="request.header.username"/>
  <!-- <Password ref="request.header.password"/> -->
  <Password ref="request.header.password"/>
  <Source>request.header.Authorization</Source>
</BasicAuthentication>

 

 

 

4-

 

 

<AssignMessage name="Assign-Message-Set-Variables">
  <DisplayName>Assign Message 1</DisplayName>
  <FaultRules/>
  <Properties/>
  <AssignVariable>
    <Name>oauth_external_authorization_status</Name>
    <Value>true</Value>
  </AssignVariable>
  <AssignVariable>
    <Name>token</Name>
    <Value>token from service callout</Value>
  </AssignVariable>
  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
  <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

 

 

5-

 

 

<OAuthV2 name="OAuth-v20-Store-External-Token">
  <DisplayName>OAuth v2.0 1</DisplayName>
  <FaultRules/>
  <Properties/>
  <Attributes/>
  <ExternalAuthorization>true</ExternalAuthorization>
  <Operation>GenerateAccessToken</Operation>
  <SupportedGrantTypes>
    <!-- Optional -->
    <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>
  <ClientId>request.header.username</ClientId>
  <GenerateResponse enabled="true"/>
  <ExternalAccessToken>token</ExternalAccessToken>
  <StoreToken>true</StoreToken>
  <Tokens/>
</OAuthV2>

 

 





and the response is 

{
    "ErrorCode""invalid_client",
    "Error""Client identifier is required"
}

appreciate your response 



Solved Solved
0 3 362
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Hi, thanks for the question. 

The first policy configuration you showed, for the ExtractVariables policy, is a no-op.  It doesn't do anything.  You need to specify one of these child elements in the configuration to tell the ExtractVariables policy to extract from SOMETHING: URIPath, QueryParam, Header, FormParam, Variable, JSONPayload, XMLPayload . See the ExtractVariables policy documentation for more details. 

There are a bunch of other things you are doing there, and I won't comment on everything. 

But

If the invalid_client error is being generated by the OAuthV2 policy, then...I would think that request.header.username is not loaded with a valid client id, known by Apigee. 

You can configure the OAuthV2 policy, with GenerateAccessToken, to ingest an externally-generated access token. That access token must be unique, and it must be associated to a valid client ID.  Your configuration is saying "use the client id at request.header.username".  IF that header does not include a client ID, then the OAuthV2 policy will fail and generate the error you're seeing.

This documentation page includes more details. 

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Hi, thanks for the question. 

The first policy configuration you showed, for the ExtractVariables policy, is a no-op.  It doesn't do anything.  You need to specify one of these child elements in the configuration to tell the ExtractVariables policy to extract from SOMETHING: URIPath, QueryParam, Header, FormParam, Variable, JSONPayload, XMLPayload . See the ExtractVariables policy documentation for more details. 

There are a bunch of other things you are doing there, and I won't comment on everything. 

But

If the invalid_client error is being generated by the OAuthV2 policy, then...I would think that request.header.username is not loaded with a valid client id, known by Apigee. 

You can configure the OAuthV2 policy, with GenerateAccessToken, to ingest an externally-generated access token. That access token must be unique, and it must be associated to a valid client ID.  Your configuration is saying "use the client id at request.header.username".  IF that header does not include a client ID, then the OAuthV2 policy will fail and generate the error you're seeing.

This documentation page includes more details. 

Jump to Solution

Posted on --/--/---- --:-- AM
devmego99
Bronze 5
Bronze 5
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

I tried it and worked okey and apigee response is access token

When I use this token while requesting api, it does not work

There is any way to connect backend token to apigee token

@dchiesa1 

Or we should use apigee as opaque token and back end as access token 

So we need to cache opaque and access token as key and value

Using populate cache and look up cache ploicies

 

Finally I want to make success request when using generated token from apigee

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

When I use this token while requesting api, it does not work

I'm sorry you're having trouble. You'll need to be much more descriptive about what you are doing, what you are observing, and what you are expecting to observe, for me to be of any help. "It does not work" is not information that helps me, to help you. Please note: "what you are doing" includes the API proxy configuration, the policies, as well as the client request. I cannot help you if you do not provide details. Remember: I cannot see your screen, and I cannot read your mind. I have no idea what you're doing. I'm sure it is frustrating that "it does not work" but I cannot help you unless you provide more information.

There is any way to connect backend token to apigee token

I don't know what you mean by this either. Mapping tokens is a thing Apigee is good at. But I don't know what you mean by "connect". You'll need to describe your goal in more detail , before I have a hope to provide any guidance or advice.

Finally I want to make success request when using generated token from apigee

I don't know what this means either! Maybe a sequence diagram would help me understand.

Jump to Solution
Top Solution Authors
View all