This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

OAuth Generate Access Token Fails - Incase of External Authorization

Posted on 09-30-2015 06:57 AM
anilsr
Staff
Reply posted on --/--/---- --:-- AM 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateAccessToken">
    <DisplayName>GenerateAccessToken</DisplayName>
    <ExternalAuthorization>true</ExternalAuthorization>
    <ExternalAccessToken>request.queryparam.external_access_token</ExternalAccessToken>
    <StoreToken>true</StoreToken>
    <Operation>GenerateAccessToken</Operation>
    <SupportedGrantTypes>
        <GrantType>password</GrantType>
    </SupportedGrantTypes>
    <GrantType>request.queryparam.grant_type</GrantType>
    <GenerateResponse enabled="true"/>
</OAuthV2>

I have set "oauth_external_authorization_status" to true & trace confirms same. Above policy fails to generate access token & ends up with below error.

{"ErrorCode" : "invalid_client", "Error" :"Client identifier is required"}

Not sure what i am missing here... Is it a bug in the platform ? Client credentials flow works perfectly fine with same request... password grant type with external authorization fails to generate access token

Solved Solved
1 7 1,356
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
adas
New Member
Reply posted on --/--/---- --:-- AM

@Anil Sagar What is the request you are making ? You should be doing something like this:

curl -v http://myorg-test.apigee.net/v1/oauthv2/access_to. 

-H "Content-Type: application/x-www-form-urlencoded"
-d 'grant_type=password&username=hello&password=world&client_id=${key}'

You don't need to specify:

<GrantType>request.queryparam.grant_type</GrantType>

As long as you have the oauth_external_authorization_status set to true and have the ExternalAuthorization set to true in the policy, it should work. A sample policy with externalAuthorization would look like this:

<OAuthV2 name="OauthV2Policy" continueOnError="true">
<SupportedGrantTypes>
         <GrantType>password</GrantType>
         <GrantType>client_credentials</GrantType>
         <GrantType>authorization_code</GrantType>
         <GrantType>implicit</GrantType>
</SupportedGrantTypes>
<GenerateResponse/>
<ExternalAuthorization>true</ExternalAuthorization>
</OAuthV2>

View solution in original post

Jump to Solution
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Have you tried passing in the Client Identifier ? It is an element, sibling to GrantType. 

  ...
  <GrantType>request.queryparam.grant_type</GrantType>
  <ClientId>flow.variable.here</ClientId> <!-- Optional -->
  ...
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
anilsr
Staff
In response to DChiesa
Reply posted on --/--/---- --:-- AM

@Dino , I have tried that too... Doesn't work...

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
adas
New Member
Reply posted on --/--/---- --:-- AM

@Anil Sagar What is the request you are making ? You should be doing something like this:

curl -v http://myorg-test.apigee.net/v1/oauthv2/access_to. 

-H "Content-Type: application/x-www-form-urlencoded"
-d 'grant_type=password&username=hello&password=world&client_id=${key}'

You don't need to specify:

<GrantType>request.queryparam.grant_type</GrantType>

As long as you have the oauth_external_authorization_status set to true and have the ExternalAuthorization set to true in the policy, it should work. A sample policy with externalAuthorization would look like this:

<OAuthV2 name="OauthV2Policy" continueOnError="true">
<SupportedGrantTypes>
         <GrantType>password</GrantType>
         <GrantType>client_credentials</GrantType>
         <GrantType>authorization_code</GrantType>
         <GrantType>implicit</GrantType>
</SupportedGrantTypes>
<GenerateResponse/>
<ExternalAuthorization>true</ExternalAuthorization>
</OAuthV2>
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
anilsr
Staff
In response to adas
Reply posted on --/--/---- --:-- AM

@arghya das

Yes, My request is exactly same as one you mentioned.. I tried with both client_id & removing GrantType tag.. Still same issue.. Do we have a working example of password granttype with external authorization ?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
anilsr
Staff
In response to anilsr
Reply posted on --/--/---- --:-- AM

@arghya das , never mind it was an issue with sending the payload to the GenerateAccessToken policy.. Tested in a different proxy to find out root cause and it worked like as expected, it was issue with my proxy configuration.. Thank you ..

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
adas
New Member
Reply posted on --/--/---- --:-- AM

Make sure you are setting the oauth_external_authorization_status to true before the generateAccessToken policy is invoked. Here's a working example from Diego, which is also linked to our docs: https://github.com/dzuluaga/apigee-tutorials/tree/master/apiproxies/musicapi-oauth-delegated-authent...

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
meenap3
New Member
Reply posted on --/--/---- --:-- AM

Hi I am also getting same issue ,how did you resolved can you tell me . I tried adding ClientId in the oauth policy and tried removing both clientID and GrantType.But still facing same issue. Acutally using in Response.To Regenerate the external token it is coming in the form of SessionID.

Jump to Solution
0 Likes