I'm implementing a flow which takes a bearer access token which is generated by Ping Federate.
The access token is validated by a service call out to Ping which works correctly.
However when I try to store the token in Apigee I get the following error
{ "fault": { "faultstring": "Invalid client identifier {0}", "detail": { "errorcode": "oauth.v2.InvalidClientIdentifier" } } }
Below are my two steps after the service call out to store the token
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <AssignMessage name="AssignMessage-SetVariable" continueOnError="false" enabled="true"> <DisplayName>Assign Message - Set Variable</DisplayName> <AssignVariable> <Name>oauth_external_authorization_status</Name> <Value>true</Value> </AssignVariable> <AssignVariable> <Name>grant_type</Name> <Value>client_credentials</Value> </AssignVariable> <Set> <FormParams> <FormParam name="client_id">{apigee.client_id}</FormParam> </FormParams> </Set> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> </AssignMessage>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <OAuthV2 name="OAuth-v20-Store-External-Token"> <DisplayName>OAuth v2.0 1</DisplayName> <Attributes> <Attribute name="ping_client_id" ref="ping.client_id"/> </Attributes> <ClientId>apigee.client_id</ClientId> <GrantType>grant_type</GrantType> <ExternalAccessToken>external_access_token</ExternalAccessToken> <ExternalAuthorization>true</ExternalAuthorization> <Operation>GenerateAccessToken</Operation> <ExpiresIn ref="ping.token.validation.expiresIn">10</ExpiresIn> <ReuseRefreshToken>false</ReuseRefreshToken> <StoreToken>true</StoreToken> <SupportedGrantTypes> <GrantType>client_credentials</GrantType> </SupportedGrantTypes> <Tokens/> </OAuthV2>
My API proxy is associated with a API Product
The error which shows up as a 500 in the Apigee trace happens in the 'OAuth-v20-Store-External-Token' step.
Any help in resolving this would be much appriciated
Solved! Go to Solution.
Hi Tara,
In the below step, have you assigned the external token from Ping to the context variable 'external_access_token'? If not please try setting that and try again.
<ExternalAccessToken>external_access_token</ExternalAccessToken>
Please do let us know how it goes.
Thanks
Prakash
@Tara McLean You are setting the client_Id as formparam in Assign message and have again it in the oauth policy. Its redundant and not required, just have one of them.
even the grant_type.
Not sure if that's the cause but just an observation.
Refer this answer which worked, https://community.apigee.com/questions/44050/external-authorization-oauth-client-id-error-with.html?...
Thanks for the reply. I've tried what you suggested and implemented solution in the link.
This seems to work, but I can see in the trace that the property of the step = failed. It does however proceed. Further down in the flow I try to validate against the stored token I get an 'Invalid Access Token' message.
I'm assuming that the token has not been stored correctly.
Hi Tara,
In the below step, have you assigned the external token from Ping to the context variable 'external_access_token'? If not please try setting that and try again.
<ExternalAccessToken>external_access_token</ExternalAccessToken>
Please do let us know how it goes.
Thanks
Prakash
I've doubled checked and the context variable is set correctly. The 'failed' property of the oauthV2policy where I try to set the token is always failed
Found the cause of the issue. Had configured the client id variable incorrectly so the token ws not being stored.
Hi Tara, what did you have incorrectly? And what was the correct way to specify the client id?
example-of-storing-external-token.zip I've attached my working example of how to store an external access token on Apigee. The important thing is to use the consumer key that you can find in Publish>Apps>YOUR_APP
hi Tara,
I am also getting the same error where you able to resolve it.
thanks
see below, Sushant.
I don't know what's wrong with your setup but this works for me, when "importing" an access token.
<OAuthV2 name='OAuthV2-ImportAccessToken-CC'> <Operation>GenerateAccessToken</Operation> <!-- ExpiresIn, in milliseconds. The ref is optional. The explicitly specified value is the default, when the variable reference cannot be resolved. 1800000 = 30 minutes 2400000 = 40 minutes 3600000 = 60 minutes --> <ExpiresIn ref='flow.variable'>1800000</ExpiresIn> <!-- RefreshTokenExpiresIn, in milliseconds. Optional; if it is not specified, the default value will be used which is -1 (no expiration). 691200000 = 8 days 2592000000 = 30 days --> <RefreshTokenExpiresIn>691200000</RefreshTokenExpiresIn> <SupportedGrantTypes> <!-- for client_credentials, the client_id and client_secret must be passed in , in the Basic Auth header, as per the specification. --> <GrantType>client_credentials</GrantType> </SupportedGrantTypes> <!-- variable that specifies the requested grant type --> <GrantType>request.formparam.grant_type</GrantType> <!-- variable that specifies the token to be imported --> <ExternalAccessToken>request.formparam.access_token</ExternalAccessToken> <StoreToken>true</StoreToken> <ExternalAuthorization>true</ExternalAuthorization> <Attributes> <Attribute name='grant_type' ref='request.formparam.grant_type' display='true'>UNDEFINED</Attribute> </Attributes> <GenerateResponse enabled='true'/> </OAuthV2>
But there are some other requirements. These variables must be set:
I have a working proxy. attached here.
apiproxy-externalaccesstoken-1.zip
Deploy it, then Invoke it like this:
curl -i -u $client_id:$client_secret https://$ORG-$ENV.apigee.net/externalaccesstoken-1/import -d 'grant_type=client_credentials&access_token=ABCDEFGHIJKL'
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |