This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Issue with Oauth 2 token generation with scopes in apigee x

Posted on 12-30-2022 11:52 AM
jhernandez-sps
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello everybody,

I have a problem when the access token is generated in a hybrid apigee x using oauth 2, let me explain:

I have 1 product with 2 comma-separated scope (read,write) and one API added at: 

jhernandezsps_0-1672427836752.png

I created a Proxy API to generate a client_credentials token using scopes.

Policy configuration:

jhernandezsps_7-1672428750082.png

When a token is required with a read scope, I get a token for that one successfully:

Scope header sent in by client: 

jhernandezsps_4-1672428647854.png

Response:

jhernandezsps_1-1672428268636.png

However, when I require scope for second scope write, metadata response generates an access token for no scope at all.

Scope header sent over by client: 

jhernandezsps_5-1672428692725.png

Response:

jhernandezsps_2-1672428425157.png

Same result with both spaced scopes:

Scope header sent by client: 

jhernandezsps_6-1672428713837.png

Response:

jhernandezsps_3-1672428608419.png

I don't know if the issue has to do with a problem with the product configuration or anything else.

Best Regards.

1 1 158
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I'm sorry about the delay in response here. I've been on holiday and I'm not sure why no-one else responded. 

I am not certain, but I think I may have reproduced the issue you are seeing.  If I am correct, i  seems like a bug in the UI that is misleading you.  

You've shown a snapshot the "Allowed Oauth scopes" field. Thanks, that that's helpful.  I tried your basic scenario in my own organization, and did not see the results you reported. In other words, it works just as I would expect: supposing I have a product with "READ,WRITE" scope, when I request a token with READ scope, I get a token with READ.  When I request a token with WRITE scope, I get a token with WRITE scope. And I can get a token with both scopes, too.  It all just works. 

Then I looked a little more closely at the screensnap you provided. It looks like this; 

shot1.png

Looking a little more closely, I wondered if there was a leading space in that text field, and if it was not being properly stripped. When I fill out the form on my UI with no leading space, it looks like this (I added the red line to help visualize alignment):

shot3.png

When I fill out the form and purposely add a leading space, I get this: 

shot2.png

A slight difference. Sure enough, when I use the leading space and then save the product, and query it using the apigee API, I get this: 

 

{
  "name": "New-Product-A",
  "displayName": "New-Product-A",
  "approvalType": "auto",
  "attributes": [
    {
      "name": "access",
      "value": "public"
    }
  ],
  "environments": [
    "eval"
  ],
  "scopes": [
    " write",
    "read"
  ],
  "createdAt": "1670022064430",
  "lastModifiedAt": "1673552309434",

 

As you can see, I've saved a scope with a leading space. That shouldn't happen. That's a bug, in the UI and in the management API - both should reject the leading space.  (internal reference: b/265321035)

But when I try to use THIS product, then I cannot get a token with the "write" scope.  If I then modify the product to omit the leading space, I can generate a token with the "write" scope. 

Let me know if this helps you.

0 Likes