This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to link AccessToken to an User of Application.

Posted on 06-01-2016 08:56 AM
Not applicable
Reply posted on --/--/---- --:-- AM

AccessToken was issued on behalf of the user of the application. When the API request comes in with an user id, api-key and access-token, how do we validate if the access-token was issued to that user-id?

Solved Solved
2 8 821
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM

Thanks for clarifying @Pravin

You can use Custom Attributes as @Anil Sagar mentioned. The info is available here

While generating the Access token using the OAuth Policy, you can set the user info as custom attribute

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="GenerateAccessTokenClient">
    <Operation>GenerateAccessToken</Operation>
    <!-- This is in millseconds, so expire in an hour -->
    <ExpiresIn>3600000</ExpiresIn>
    <SupportedGrantTypes>
        <GrantType>authorization_code</GrantType>
        <GrantType>client_credentials</GrantType>
        <GrantType>implicit</GrantType>
        <GrantType>password</GrantType>
    </SupportedGrantTypes>
    <GrantType>request.queryparam.grant_type</GrantType>
    <ClientId>request.header.client_id</ClientId>
    <RefreshTokenExpiresIn ref="refreshTokenExpiresIn">3600000</RefreshTokenExpiresIn>
    <Attributes>
        <Attribute name="userinfo.username" ref="userinfo.username"/> <!-- Provide the flow variable that has the value of the username for which the token is being generated -->
    </Attributes>
    <GenerateResponse/>
</OAuthV2>

Once you use the token generated and use this to call an API, the custom attribute will be available as a variable which can be used to validate the user info before accessing the data. My previous answer screenshot has a custom attribute - accesstoken.userinfo.username

View solution in original post

Jump to Solution
8 REPLIES 8

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM

Hi @Pravin

After the VerifyAccessToken operation of OAuthV2 policy / Verify API Key policy is executed, a set of flow variables are available that can be used.

For VerifyAccessToken, the list of variables are listed here and for Verify API Key, the list of variables are listed here

You can also find the values that are available using the Trace tool. After the API is executed, just click the policy (Verify API Key or OAuth) on the UI which will display the list of variables.

Please see screenshot below (have erased certain fields on the screenshot on purpose)

2837-screen-shot-2016-06-01-at-100329-am.png

using these variables, you can check for the user id and raise a Fault using the Raise Fault policy

Hope this helps.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
anilsr
Staff
Reply posted on --/--/---- --:-- AM

@Pravin ,

Update : I believe you are talking about Application end user, We can leverage Access Token attributes & use them to validate in subsequent calls.

You can add a custom attribute called user id while generating access token & validate same in subsequent API calls to make sure he is the one who is calling same.

Find more info here. Keep us posted.

Jump to Solution

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
In response to anilsr
Reply posted on --/--/---- --:-- AM

Thanks @Anil Sagar

Just added a comment to @Pravin question asking about the process in generating the token 🙂

As you mentioned, setting the custom attributes (for eg. user id - see my screenshot for attribute "accesstoken.userinfo.username) while Generating Access token and using it after VerifyAccessToken is the best approach

Jump to Solution

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM

HI @Pravin

Also would be nice to know how the Access token is generated for a User (IDP, grant type, etc)?

In my answer below, I have assumed that Apigee is generating the OAuth token and using this token, a subsequent proxy in Apigee is called.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Thanks @Anil Sagar And @Sai Saran Vaidyanathan for responses.

Lets me put the scenario I was looking for, in 3 leg OAuth user has authorized a 3rd party application to access Api (eventually data) on user's behalf. 3rd Party Application is a registered app, has client-id and client-secret. After completion of 3-leg Oauth flow 3rd party application got an access token which should be used only to access api to get that particular user's data. But Other users of same 3rd Party application can use same access token (if they able to get it -- somehow) to access apis...because on Edge VerifyAccessToken & Verify API Key policies are validating access token and not aware for which user that token was generated for. Basically VerifyAccessToken do not know about users of 3rd party application. so question was how to associate an access token to end users along with client_id and client_secret so that other user of same client-app not able to use it....

please do let me know if my problem statement is still not clear.... I will try again.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM

Thanks for clarifying @Pravin

You can use Custom Attributes as @Anil Sagar mentioned. The info is available here

While generating the Access token using the OAuth Policy, you can set the user info as custom attribute

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="GenerateAccessTokenClient">
    <Operation>GenerateAccessToken</Operation>
    <!-- This is in millseconds, so expire in an hour -->
    <ExpiresIn>3600000</ExpiresIn>
    <SupportedGrantTypes>
        <GrantType>authorization_code</GrantType>
        <GrantType>client_credentials</GrantType>
        <GrantType>implicit</GrantType>
        <GrantType>password</GrantType>
    </SupportedGrantTypes>
    <GrantType>request.queryparam.grant_type</GrantType>
    <ClientId>request.header.client_id</ClientId>
    <RefreshTokenExpiresIn ref="refreshTokenExpiresIn">3600000</RefreshTokenExpiresIn>
    <Attributes>
        <Attribute name="userinfo.username" ref="userinfo.username"/> <!-- Provide the flow variable that has the value of the username for which the token is being generated -->
    </Attributes>
    <GenerateResponse/>
</OAuthV2>

Once you use the token generated and use this to call an API, the custom attribute will be available as a variable which can be used to validate the user info before accessing the data. My previous answer screenshot has a custom attribute - accesstoken.userinfo.username

Jump to Solution

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
In response to ssvaidyanathan
Reply posted on --/--/---- --:-- AM

@Pravin - Did this answer your question ? If yes, please accept the answer.

If you still have questions, please reach out.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to ssvaidyanathan
Reply posted on --/--/---- --:-- AM

@Sai Saran Vaidyanathan

Thank you !

I will try this out and see if this approach answers all questions of our security team. I will update you on that.

Jump to Solution
0 Likes