Hi, I noticed 2 things in my refresh token policy
1. it doesn't accept variables in fields like
<GrantType>{myJsVariable}</GrantType>
but it works with
<GrantType>request.queryparam.grant_type</GrantType>
2. i have "generate response true" when this generates the response. it doesn't execute next policies. it just skips the whole api with the generated response. is this intended ? (GenerateTokenPolicy lets you generate a response so i can massage it in a JS policy. but not refresh policy.
<GenerateResponse enabled="true"/>
Any thoughts here ?
if my thoughts are correct then this is an issue for me and it forces me to create an api wrapper for refresh-token so I can
1. pass queryparams
2. so I can grab the response in a caller api. so i can massage it.
Thanks
Solved! Go to Solution.
I know this is a really old question, but what you describe surprises me, and so I thought I'd investigate.
For item #1: correct. Don't surround the variable name with curly braces.
For item #2:
What I found: it works for me. I have this flow:
<Flow name="token"> <!-- The app uses this request to exchange the code for a token, or to refresh a token. Example: Authorization: Basic base64(client_id:client_secret) POST /devjam3/oauth2-ac/token grant_type=authorization_code &code=q2oI7b2d &redirect_uri=http://dinochiesa.github.io/openid-connect/callback-handler.html -or- Authorization: Basic base64(client_id:client_secret) POST /devjam3/oauth2-ac/token grant_type=refresh_token&refresh_token=sksious93e93 --> <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "POST")</Condition> <Description/> <Request> <Step> <Name>RF-InvalidGrantType</Name> <Condition>NOT (request.formparam.grant_type = "authorization_code" OR request.formparam.grant_type = "refresh_token")</Condition> </Step> </Request> <Response> <Step> <Name>OAuthV2-GenerateAccessToken</Name> <Condition>request.formparam.grant_type = "authorization_code"</Condition> </Step> <Step> <Name>OAuthV2-RefreshAccessToken</Name> <Condition>request.formparam.grant_type = "refresh_token"</Condition> </Step> <Step> <Name>JS-GroomTokenResponse</Name> </Step> </Response> </Flow>
And what I found is that the JS-GroomTokenResponse policy executes. Any other policy will execute, also.
The OAuthV2-RefreshAccessToken policy looks like this:
<OAuthV2 enabled='true' name='OAuthV2-RefreshAccessToken'> <Operation>RefreshAccessToken</Operation> <ExpiresIn>3600000</ExpiresIn> <RefreshTokenExpiresIn>86400000</RefreshTokenExpiresIn> <ExternalAuthorization>false</ExternalAuthorization> <!-- grant_type must be "refresh_token" --> <GrantType>request.formparam.grant_type</GrantType> <RefreshToken>request.formparam.refresh_token</RefreshToken> <SupportedGrantTypes/> <GenerateResponse/> </OAuthV2>
It just works. You can see a full working example here.
I think you must have something exceptional. Maybe your RefreshAccessToken policy is not attached in the response flow?
I know this is a really old question, but what you describe surprises me, and so I thought I'd investigate.
For item #1: correct. Don't surround the variable name with curly braces.
For item #2:
What I found: it works for me. I have this flow:
<Flow name="token"> <!-- The app uses this request to exchange the code for a token, or to refresh a token. Example: Authorization: Basic base64(client_id:client_secret) POST /devjam3/oauth2-ac/token grant_type=authorization_code &code=q2oI7b2d &redirect_uri=http://dinochiesa.github.io/openid-connect/callback-handler.html -or- Authorization: Basic base64(client_id:client_secret) POST /devjam3/oauth2-ac/token grant_type=refresh_token&refresh_token=sksious93e93 --> <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "POST")</Condition> <Description/> <Request> <Step> <Name>RF-InvalidGrantType</Name> <Condition>NOT (request.formparam.grant_type = "authorization_code" OR request.formparam.grant_type = "refresh_token")</Condition> </Step> </Request> <Response> <Step> <Name>OAuthV2-GenerateAccessToken</Name> <Condition>request.formparam.grant_type = "authorization_code"</Condition> </Step> <Step> <Name>OAuthV2-RefreshAccessToken</Name> <Condition>request.formparam.grant_type = "refresh_token"</Condition> </Step> <Step> <Name>JS-GroomTokenResponse</Name> </Step> </Response> </Flow>
And what I found is that the JS-GroomTokenResponse policy executes. Any other policy will execute, also.
The OAuthV2-RefreshAccessToken policy looks like this:
<OAuthV2 enabled='true' name='OAuthV2-RefreshAccessToken'> <Operation>RefreshAccessToken</Operation> <ExpiresIn>3600000</ExpiresIn> <RefreshTokenExpiresIn>86400000</RefreshTokenExpiresIn> <ExternalAuthorization>false</ExternalAuthorization> <!-- grant_type must be "refresh_token" --> <GrantType>request.formparam.grant_type</GrantType> <RefreshToken>request.formparam.refresh_token</RefreshToken> <SupportedGrantTypes/> <GenerateResponse/> </OAuthV2>
It just works. You can see a full working example here.
I think you must have something exceptional. Maybe your RefreshAccessToken policy is not attached in the response flow?
Thank you so much @Dino-at-Google, I think what was different for me was that I was trying to use GenerateResponse true (i think) and also that I was trying to use {JS} variables as input. Ill use this info at some point to retry to have the refresh token internally to my api