Solved: Significance of user credentials while generating ...

Feroz_Mahammad · 04-11-2016 12:43 AM

Use case is, user authentication is happening outside of Apigee via proxy webserver and then calling Apigee to generate the access tokens post successful authentication. As per the doc, it's specified that username & password are required for password grant to generate tokens.

My queries here are:

What is the role of user credentials while generating the access token?
For an authenticated user, could we use dummy credentials while generating tokens?

akoo

Great questions, @Mahammad Feroz. My answers below:

1. The answer is to serve as a reminder to validate credentials. No significance, otherwise, because Apigee is trusting you're doing the proper user credential validation externally.

2. Yes.

View solution in original post

gargi_talukdar

Hi Mahammad Feroz,

I have tested this scenario and it seems your queries are genuine . What I am assuming from the documention here is that , as mentioned that "In cases where the app user name must be sent to the authorization server, this element lets you specify where Edge should look for the end user name".

This means that whenever Apigee is acting as an authorization server, then these credentials will come into picture. Since for password grant_type username and password are mandatory I guess dummy credentials can be used for token generation.

Feroz_Mahammad

@GargiTalukdar, pls refer the doc here. As per this, grant_type, username and password are mandatory fields for password grant type. Pls provide any working samples to generate access token without specifying user credentials for password grant.

gargi_talukdar

Hi Mahammad Feroz,

I have updated my comment.

sunandita_dam

Its an interesting question that why username/password is required for access token generation when username/password is already validated by identity service provider. Someone from apigee can let us know that how username/password is used while token generation?

akoo

Great questions, @Mahammad Feroz. My answers below:

1. The answer is to serve as a reminder to validate credentials. No significance, otherwise, because Apigee is trusting you're doing the proper user credential validation externally.

2. Yes.

Feroz_Mahammad

Thank you for your clarification @Alex Koo.

LinkedIn

Please check out this video http://docs.apigee.com/api-services/content/implementing-password-grant-type where Baas is used to validate userid and password.

And using below policy xml for Generating Access token. We are not passing user credentials in this.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <OAuthV2 name="GenerateAccessTokenClient"> <Operation>GenerateAccessToken</Operation> <ExpiresIn>3600000</ExpiresIn> <SupportedGrantTypes> <GrantType>password</GrantType> </SupportedGrantTypes> <GrantType>request.queryparam.grant_type</GrantType> <GenerateResponse/> </OAuthV2>

Feroz_Mahammad

@RK4, I had already tried this approach but it didn't work. Policy through an error if username and password are not passed. Not sure whether the video is latest.

gargi_talukdar

Hi RK4,

In the video the username and password are send as formparam. As it is mentioned in the document here -->"By default, these parameters must be x-www-form-urlencoded and specified in the request body".

Here "these parameters" are grant_type,username and password.

As I tested , if these values are not set in OAuth v2.0 policy, by default it accepts the value from formparam. But if these values(username and password) are send as queryparam etc. they have to be mentioned explicitly in the policy or else for password grant_type OAuth V2.0 policy throws error.

LinkedIn

Yes @GargiTalukdar.I noticed that...Thanks for pointing out

Significance of user credentials while generating password grant tokens