LinkedIn
Twitter
Hi All,
I am using OAuth policy to generate the refresh token. When I am passing an invalid refresh token ideally the flow should break and enter into error flow but in my proxy it is continuing with the response flow.
Below is my policy code:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAV2-RefreshAccessToken">
<DisplayName>OAV2-RefreshAccessToken</DisplayName>
<Properties/>
<Attributes/>
<ExternalAuthorization>false</ExternalAuthorization>
<Operation>RefreshAccessToken</Operation>
<ReuseRefreshToken>true</ReuseRefreshToken>
<RefreshToken>request.formparam.refresh_token</RefreshToken>
<SupportedGrantTypes/>
<GenerateResponse enabled="true"/>
<Tokens/>
</OAuthV2>
I am able to see that it generated an error code of 400 but still continuing with normal flow instead of error flow.
Please suggest if I am missing sth in the policy.
Also the error message (Response Content in trace) is not in the format we get for other faults.
Solved
1 ACCEPTED SOLUTION
Hi, it's not clear to me what results you are seeing and what you expect to see.
When I add in a OAuthV2 policy that uses operation=RefreshAccessToken, and if I pass in an invalid refresh token, I get the expected error, the same error you show in the screenshot of the trace UI.
$ curl -i https://ORGNAME-test.apigee.net/refreshtokentest/token -d 'refresh_token=FAKE&grant_type=refresh_token' -u client_id:client_secret HTTP/1.1 400 Bad Request Date: Wed, 21 Dec 2016 16:32:07 GMT Content-Length: 67 Connection: keep-alive Server: Apigee Router {"ErrorCode" : "invalid_request", "Error" :"Invalid Refresh Token"}
My OAuthV2 policy uses exactly the configuration you pasted above.
We have seen that the results from your test and the results from my test are consistent. Therefore we can conclude that the policy works as expected when passing an invalid refresh token.
Now, you have observed that your proxy is "still continuing with normal flow instead of error flow."
I think that is incorrect.
I see that the API request has returned with a 200. However, It appears to me that you may be over-riding the error response. There are two additional policies that appear in your trace. One of them, perhaps, is over-writing the 400 response with a 200 OK.
When I use a bare proxy with no additional policies, my client receives the 400 as expected.
When I use an API Proxy with a policy in the Response Flow that overwrites the message, then I get a 200.
This is probably unhelpful behavior, but the proxy is performing correctly as configured. The problem is in the proxy, not in Apigee Edge .
So can you check to see how you are over-writing the response?
Also, last thing - I think it is probably more correct to refresh the token in the request flow, rather than in the response flow.
Hi, it's not clear to me what results you are seeing and what you expect to see.
When I add in a OAuthV2 policy that uses operation=RefreshAccessToken, and if I pass in an invalid refresh token, I get the expected error, the same error you show in the screenshot of the trace UI.
$ curl -i https://ORGNAME-test.apigee.net/refreshtokentest/token -d 'refresh_token=FAKE&grant_type=refresh_token' -u client_id:client_secret HTTP/1.1 400 Bad Request Date: Wed, 21 Dec 2016 16:32:07 GMT Content-Length: 67 Connection: keep-alive Server: Apigee Router {"ErrorCode" : "invalid_request", "Error" :"Invalid Refresh Token"}
My OAuthV2 policy uses exactly the configuration you pasted above.
We have seen that the results from your test and the results from my test are consistent. Therefore we can conclude that the policy works as expected when passing an invalid refresh token.
Now, you have observed that your proxy is "still continuing with normal flow instead of error flow."
I think that is incorrect.
I see that the API request has returned with a 200. However, It appears to me that you may be over-riding the error response. There are two additional policies that appear in your trace. One of them, perhaps, is over-writing the 400 response with a 200 OK.
When I use a bare proxy with no additional policies, my client receives the 400 as expected.
When I use an API Proxy with a policy in the Response Flow that overwrites the message, then I get a 200.
This is probably unhelpful behavior, but the proxy is performing correctly as configured. The problem is in the proxy, not in Apigee Edge .
So can you check to see how you are over-writing the response?
Also, last thing - I think it is probably more correct to refresh the token in the request flow, rather than in the response flow.
