Solved: Re: Patterns for Apigee and Third Party OAuth Prov...

marcpatterson · 06-30-2022 06:33 AM

Hello, I have a scenario where I am using a Third Party OAuth Provider (using general pattern described here) with authorization_code grant. The flow is failing due to missing authorization code.

Presently only the Access Token request is proxied by Apigee, not the authorization code request.
The service callout to my OAuth server is successfully returning a response containing the access token.
I am using OAuthV2.GenerateAccessToken as shown below (snippet 1).
It appears Apigee is returning the 400 "Invalid Authorization Code" when attempting to generate the token (snippet 2). Presumably, because the auth code does not exist in the token store.

Does Apigee require the authorization code to exist in its token store to use a Third Party OAuth server and authorization_code grant, or do I have a misconfiguration?

Thank you.

- Marc

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OA-StoreOAuthOAMToken">
    <DisplayName>OA-StoreOAuthOAMToken</DisplayName>
    <Attributes/>
    <ExternalAuthorization>true</ExternalAuthorization>
    <ExternalAccessToken>oamresponse.oam-access-token</ExternalAccessToken>
    <Operation>GenerateAccessToken</Operation>
    <!-- ExpiresIn is milliseconds, response returns expires_in seconds-->
    <ExpiresIn>1800000</ExpiresIn>
    <StoreToken>true</StoreToken>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
        <GrantType>authorization_code</GrantType>
        <!--<GrantType>password</GrantType>-->
    </SupportedGrantTypes>
    <GenerateResponse enabled="true"/>
    <RFCCompliantRequestResponse>true</RFCCompliantRequestResponse>
    <Tokens/>
</OAuthV2>

{"error":"invalid_request","error_description":"Invalid Authorization Code"}

dchiesa1

Does Apigee require the authorization code to exist in its token store to use a Third Party OAuth server and authorization_code grant, or do I have a misconfiguration?

Yes, to use Apigee to validate an authorization code, you need to to configure your Apigee so that it ingests that externally-generated code. Here is a source code repo that shows an example of doing this.

An alternative is to allow the client to do the 3-legged flow, and get the externally-generated token, and then use "client credentials" grant in your Apigee policy to ingest the external token. In this case, Apigee will be unaware of the authorization code used with the external IdP. If you do this, the form parameters on the inbound request to Apigee must use grant_type=client_credentials, or you need to use the AssignMessage policy to overwrite that form parameter, in order for the OAuth policy to work with client_credentials.

View solution in original post

dchiesa1

Does Apigee require the authorization code to exist in its token store to use a Third Party OAuth server and authorization_code grant, or do I have a misconfiguration?

Yes, to use Apigee to validate an authorization code, you need to to configure your Apigee so that it ingests that externally-generated code. Here is a source code repo that shows an example of doing this.

An alternative is to allow the client to do the 3-legged flow, and get the externally-generated token, and then use "client credentials" grant in your Apigee policy to ingest the external token. In this case, Apigee will be unaware of the authorization code used with the external IdP. If you do this, the form parameters on the inbound request to Apigee must use grant_type=client_credentials, or you need to use the AssignMessage policy to overwrite that form parameter, in order for the OAuth policy to work with client_credentials.

marcpatterson

Thank you @dchiesa1, makes perfect sense.

Patterns for Apigee and Third Party OAuth Provider with authorization_code grant