We are trying to do a poc with Apigee acting as Identity facade for authentication & authorization using ForgeRock as IDP. Our initial authorize call seems to be working fine & 302 redirect to forgeRock login page for user credentials is also successful. But once the ForgeRock does the callback, we see a failure in the OAuthv2-GenerateAuthCode call saying "invalid request".
Regarding creating an OAuth / OpenID Connect proxy for Forgerock, we are leveraging an example provided by Kurt & updated our internal ForgeRock IDP values.
See: https://github.com/kurtkanaskie/oidc-v1-google-demo
Error response:
{
"fault": {
"faultstring": "invalid_request",
"detail": {
"errorcode": "invalid_request"
}
}
}
Debug Error:
{
"name": "error.cause",
"value": "Redirection URI is required"
},
{
"name": "error.class",
"value": "com.apigee.oauth.v2.TokenGenerationException"
},
{
"name": "state",
"value": "PROXY_REQ_FLOW"
},
{
"name": "type",
"value": "ErrorPoint"
},
{
"name": "error",
"value": "invalid_request"
},
{
"name": "Identifier",
"value": "fault"
}
]
},
Are we missing any config in the flow like setting ClientApp URL for the redirect of authorization code? If yes, where do we set it?
"Redirection URI is required" is a hint.
It looks like the callback does not include the redirect_uri parameter. Apigee is insisting that it does include that parameter.
You didn't show the effective callback URL -- what you get at runtime. Maybe check that.
Hi Dino - Below is the callback uri that is available in the runtime. Not sure if apigee looks for a specific query parameter named redirect_uri in the callback?
/oidc-google/v1/oauth/callback?code=wh23235553456546F5eAFu60YeNpgI&iss=https%3A%2F%2Fsecureqat.tope.net%3A443%2Fsso%2Foauth2%2Frealms%2Froot%2Frealms%2Fmain&state=code%20dd457673-69a7-46ce-8624-2ec74f345340b95&client_id=apigee-soc
Yes, I believe redirect_uri is the thing that is missing.
For some reason the forgerock system is not providing that. The original OAuth spec says that the redirect_uri parameter is required in the callback URL if multiple redirect URIs are registered for the app. (cite)
The spec does not say that the redirect_uri is required in all cases. The Apigee policy is more strict than the specification, and is rejecting the callback because it is missing the redirect_uri parameter. But you may be able to work around that problem.
This is what the Apigee doc says:
So if you use redirect_uri in the original /authorize request, then the callback also needs to include redirect_uri.
The workarounds might be:
Give that a try?
Hi Dino - We got the /authorize & /token calls working in flow for oidc 3 legged flow with forgeRock. When we do a refresh token , we are failing with below error in apigeex before hitting the forgeRock for the externalRefershtoken call.
reference api proxy provided by Kurt: https://github.com/kurtkanaskie/oidc-v1-google-demo
I think that proxy needs to be included into an API Product. I don't know what the proxy is doing, but there are some things, some policies, that if included in a proxy, imply that the proxy needs to be within an API product.
Hi Dino - created a support ticket on it. We are using the same path & http method for access token & refresh token but just different grant_type. access token works but refresh token call fails with error "Invalid API call as no apiproduct match found". If we completely remove the operations from the api product then even the refresh token call works so we are temporarily testing without any operations mentioned in api product.
Also for the single page applications, do we have any standard logout & revoke token process. Our ForgeRock team needs to provide a post_logout_redirect_uri in their config & the same needs to be passed by client app/apigee in the revoke/endSession call. In case of single page application, does apigee has any default logout page that we could provide as part of logout redirect for the client?