I have created an OAuth 2.0 proxy on the edge platform which supports client_credentials and password grant types. If grant_type='client_credentials' is passed then the edge platform only validates client credentials whereas if grant_type='password' is passed then it first validates client credentials and then it calls back end resource API to validate username and password. If validation is successful then a token is issued.
The problem is when validating the token the edge is not differentiating the issued tokens. I have one proxy which should only validate the token generated by password grant type but it is validating the token generated by client_credentials gran type and vice versa.
How should I resolve this problem? Should I add some custom attribute to the token and then use that custom attribute to validate the token?
Please have a look at OAuth scopes. https://docs.apigee.com/api-platform/security/oauth/working-scopes.
Scopes should be added to the Product. For ex - password, clientCredentials
While generating the token, add a scope attribute to the generate policy, ex - ?scope=password
<Scope>request.queryparam.scope</Scope>
If you don't mention the scope in queryParameter, then the generated token will be given scopes password, clientCredentials (the default behavior).
Now, let's say you have a token that has scope "password", in Password Oauth protected proxy, use a Scope in VerifyAccessToken Policy,
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuthV2-VerifyAccessTokenA"> <DisplayName>Verify OAuth v2.0 Access Token</DisplayName> <ExternalAuthorization>false</ExternalAuthorization> <Operation>VerifyAccessToken</Operation> <Scope>password</Scope> <!-- this policy will only validate tokens which have password as a scope --> <GenerateResponse enabled="true"/> </OAuthV2>
Thank you for the response @Siddharth Barahalikar. I have managed to do this using grant_type token attribute. Once the edge validates the token it populates grant_type attribute and put it in the context and hence can be used in the subsequent flow. I have added following in my proxy pre-flow configuration to check that the token is obtained by OAuth 2.0 password grant type. If grant type is not password and fault will be raised and authentication will fail.
<Step> <Name>OA-VerifyAccessToken</Name> </Step> <Step> <Condition>grant_type != "password"</Condition> <!--This step is to make sure that the token is obtained by OAuth 2.0 password grant type--> <Name>RF-AuthenticationFailed</Name> </Step>
Yes Pooja, it can be done in this way. But it requires an additional policy to throw an error.
I am not sure about using scope to check grant_type.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |