Hello, I have a scenario where I am using a Third Party OAuth Provider (using general pattern described here) with authorization_code grant. The flow is failing due to missing authorization code.
Does Apigee require the authorization code to exist in its token store to use a Third Party OAuth server and authorization_code grant, or do I have a misconfiguration?
Thank you.
- Marc
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OA-StoreOAuthOAMToken">
<DisplayName>OA-StoreOAuthOAMToken</DisplayName>
<Attributes/>
<ExternalAuthorization>true</ExternalAuthorization>
<ExternalAccessToken>oamresponse.oam-access-token</ExternalAccessToken>
<Operation>GenerateAccessToken</Operation>
<!-- ExpiresIn is milliseconds, response returns expires_in seconds-->
<ExpiresIn>1800000</ExpiresIn>
<StoreToken>true</StoreToken>
<SupportedGrantTypes>
<GrantType>client_credentials</GrantType>
<GrantType>authorization_code</GrantType>
<!--<GrantType>password</GrantType>-->
</SupportedGrantTypes>
<GenerateResponse enabled="true"/>
<RFCCompliantRequestResponse>true</RFCCompliantRequestResponse>
<Tokens/>
</OAuthV2>
{"error":"invalid_request","error_description":"Invalid Authorization Code"}
Solved! Go to Solution.
Does Apigee require the authorization code to exist in its token store to use a Third Party OAuth server and authorization_code grant, or do I have a misconfiguration?
Yes, to use Apigee to validate an authorization code, you need to to configure your Apigee so that it ingests that externally-generated code. Here is a source code repo that shows an example of doing this.
An alternative is to allow the client to do the 3-legged flow, and get the externally-generated token, and then use "client credentials" grant in your Apigee policy to ingest the external token. In this case, Apigee will be unaware of the authorization code used with the external IdP. If you do this, the form parameters on the inbound request to Apigee must use grant_type=client_credentials, or you need to use the AssignMessage policy to overwrite that form parameter, in order for the OAuth policy to work with client_credentials.
Does Apigee require the authorization code to exist in its token store to use a Third Party OAuth server and authorization_code grant, or do I have a misconfiguration?
Yes, to use Apigee to validate an authorization code, you need to to configure your Apigee so that it ingests that externally-generated code. Here is a source code repo that shows an example of doing this.
An alternative is to allow the client to do the 3-legged flow, and get the externally-generated token, and then use "client credentials" grant in your Apigee policy to ingest the external token. In this case, Apigee will be unaware of the authorization code used with the external IdP. If you do this, the form parameters on the inbound request to Apigee must use grant_type=client_credentials, or you need to use the AssignMessage policy to overwrite that form parameter, in order for the OAuth policy to work with client_credentials.
Thank you @dchiesa1, makes perfect sense.