This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to accept an OAuth token from a query string parameter?

Posted on 01-11-2016 02:15 PM
Not applicable
Reply posted on --/--/---- --:-- AM

I want to allow a developer to pass their access token in a query string parameter.

Once I extract the token from the request, how can I set the access token variable that is used by the default ValidateOAuth policy to verify the token? Is there another way to accept the token in a query string parameter?

Here is my current ExtractVariables policy to grab the token from the request and set the access token variable. The ValidateOAuth policy still fails after this policy runs so the access token variable is not being set.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables async="false" continueOnError="false" enabled="true" name="Extract-Token-From-URI">
    <Properties/>
    <QueryParam name="token">
        <Pattern ignoreCase="true">{access_token}</Pattern>
    </QueryParam>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <Source clearPayload="false">request</Source>
    <!--<VariablePrefix>apigee</VariablePrefix>-->
</ExtractVariables>

I have tried this policy with the VariablePrefix element uncommented as well.

Solved Solved
0 5 2,009
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
willwitman
Staff
Reply posted on --/--/---- --:-- AM

Hi @Eskinder Zewdu

Please take a look at this topic "Approving and Revoking Access Tokens". The OAuthv2 policy that validates the access token can be set to accept the access token as a query parameter (or in a header, or in a flow variable) using the <Tokens> element. So, there's no need to extract the token from the query parameter. If you do extract it to a flow variable, just set the <Tokens> element accordingly. Hope that helps.

For example, if your query parameter is called access_token, you'd set it like this:

<Tokens>
    <Token type="accesstoken" cascade="true">request.queryparam.access_token</Token>
  </Tokens>

Will

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Found the solution! <AccessToken> is the element to use with the VerifyAccessToken operation. The policy definition is below.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="true" enabled="true" name="Validate-QSP-Token">
    <DisplayName>Validate QSP Token</DisplayName>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>false</ExternalAuthorization>
    <Operation>VerifyAccessToken</Operation>
    <SupportedGrantTypes/>
    <GenerateResponse enabled="true"/>
    <AccessToken>request.queryparam.token</AccessToken>
</OAuthV2>

Thanks again @wwitman

View solution in original post

Jump to Solution
5 REPLIES 5

Posted on --/--/---- --:-- AM
willwitman
Staff
Reply posted on --/--/---- --:-- AM

Hi @Eskinder Zewdu

Please take a look at this topic "Approving and Revoking Access Tokens". The OAuthv2 policy that validates the access token can be set to accept the access token as a query parameter (or in a header, or in a flow variable) using the <Tokens> element. So, there's no need to extract the token from the query parameter. If you do extract it to a flow variable, just set the <Tokens> element accordingly. Hope that helps.

For example, if your query parameter is called access_token, you'd set it like this:

<Tokens>
    <Token type="accesstoken" cascade="true">request.queryparam.access_token</Token>
  </Tokens>

Will

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
In response to willwitman
Reply posted on --/--/---- --:-- AM

The <Tokens> element on the OAuthv2 policy worked. Thanks!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

@wwitman With this solution, the developer flow variables (i.e. developer.email) are null. Does there need to be a modification made to the token validation so that those variables are not null? I think it is because the <Operation> is "ValidateToken" instead of "VerifyAccessToken". According to the documentation, ValidateToken approves a previously revoked token where as VerifyAccessToken checks if the token is valid

.Thanks again for your help.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Found the solution! <AccessToken> is the element to use with the VerifyAccessToken operation. The policy definition is below.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="true" enabled="true" name="Validate-QSP-Token">
    <DisplayName>Validate QSP Token</DisplayName>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>false</ExternalAuthorization>
    <Operation>VerifyAccessToken</Operation>
    <SupportedGrantTypes/>
    <GenerateResponse enabled="true"/>
    <AccessToken>request.queryparam.token</AccessToken>
</OAuthV2>

Thanks again @wwitman

Jump to Solution

Posted on --/--/---- --:-- AM
willwitman
Staff
In response to
Reply posted on --/--/---- --:-- AM

@Eskinder Zewdu Thanks for posting your solution -- you're absolutely right that you use <AccessToken> on the VerifyAccessToken operation. Whereas <Tokens> is used with the ValidateToken operation. Thanks for following up!

Jump to Solution
0 Likes