OAuth 2.0 - Validate Access Token

pbagadiya · 01-31-2019 04:18 AM

I have created an OAuth 2.0 proxy on the edge platform which supports client_credentials and password grant types. If grant_type='client_credentials' is passed then the edge platform only validates client credentials whereas if grant_type='password' is passed then it first validates client credentials and then it calls back end resource API to validate username and password. If validation is successful then a token is issued.

The problem is when validating the token the edge is not differentiating the issued tokens. I have one proxy which should only validate the token generated by password grant type but it is validating the token generated by client_credentials gran type and vice versa.

How should I resolve this problem? Should I add some custom attribute to the token and then use that custom attribute to validate the token?

sidd-harth

Please have a look at OAuth scopes. https://docs.apigee.com/api-platform/security/oauth/working-scopes.

Scopes should be added to the Product. For ex - password, clientCredentials

While generating the token, add a scope attribute to the generate policy, ex - ?scope=password

 <Scope>request.queryparam.scope</Scope>

If you don't mention the scope in queryParameter, then the generated token will be given scopes password, clientCredentials (the default behavior).

Now, let's say you have a token that has scope "password", in Password Oauth protected proxy, use a Scope in VerifyAccessToken Policy,

<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuthV2-VerifyAccessTokenA">
    <DisplayName>Verify OAuth v2.0 Access Token</DisplayName>
    <ExternalAuthorization>false</ExternalAuthorization>
    <Operation>VerifyAccessToken</Operation>
    <Scope>password</Scope> 
<!-- this policy will only validate tokens which have password as a scope  -->
    <GenerateResponse enabled="true"/>
</OAuthV2>

pbagadiya

Thank you for the response @Siddharth Barahalikar. I have managed to do this using grant_type token attribute. Once the edge validates the token it populates grant_type attribute and put it in the context and hence can be used in the subsequent flow. I have added following in my proxy pre-flow configuration to check that the token is obtained by OAuth 2.0 password grant type. If grant type is not password and fault will be raised and authentication will fail.

<Step>
    <Name>OA-VerifyAccessToken</Name>
</Step>            
<Step>            
    <Condition>grant_type !=  "password"</Condition>            
    <!--This step is to make sure that the token is obtained by OAuth 2.0 password grant type-->
    <Name>RF-AuthenticationFailed</Name>
</Step>

sidd-harth

Yes Pooja, it can be done in this way. But it requires an additional policy to throw an error.

pbagadiya

I am not sure about using scope to check grant_type.