Hi guys, I'm new to apigee and trying to add an OAuth v2.0 to one of my proxy. I saw the foundation videos chapter 6 and followed all the steps.
I've been trying for client_credentials grant type. I got the "access_token" and now I added Oauth v2.0 to my proxy with <Operation>VerifyAccessToken</Operation>.
In API Console I gave header parameter as Authorization and value as Bearer <access_token> and with Get Resource when I click Send....I'm getting error as...
HTTP/1.1 401 Unauthorized Date:Tue, 31 Mar 2015 15:28:50 GMT Access-Control-Allow-Origin:* Content-Length:202 Connection:keep-alive Content-Type:application/json Server:Apache-Coyote/1.1 { "error": "auth_unverified_oath", "timestamp": 1427815730356, "duration": 0, "exception": "org.apache.usergrid.rest.exceptions.SecurityException", "error_description": "Unable to authenticate OAuth credentials" }
Where did I go wrongs???
Answer by sudheendras
·
Apr 15, 2015 at 07:44 AM
Thanks! These proxies helped me solve the problem.
All you need to do is to remove the "Authorization" header in your "323-cats-oauth-rev1-2015-04-15" proxy before calling BaaS (i.e. after Verify Token policy). Otherwise BaaS tries to validate the token and eventually fails as it was generated by Edge. Remember BaaS also provides OAuth way of generating/verifying tokens.
You can remove the "Authorization" header using "AssignMessage" policy as below -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1"> <DisplayName>Assign Message 1</DisplayName> <FaultRules/> <Properties/> <Remove> <Headers> <Header name="Authorization"></Header> </Headers> </Remove> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> <AssignTo createNew="false" transport="http" type="request"/> </AssignMessage>
I have also attached the updated proxy here.. 323-cats-oauth-rev1-2015-04-15-rev2-2015-04-15.zip
After you generate the Access Token, call this API proxy with "Authorization Bearer <ACCESS_TOKEN>" header.
Would it be possible to update the Foundation Training module Connecting Edge to BaaS with this information as the example won't work without this policy applied to the BaaS collection target's PreFlow.
Answer by sudheendras
·
Apr 14, 2015 at 01:56 PM
To keep things simple and make it easier for you to try things out, the "sandbox" application in BaaS has all authentication disabled. That way, it doesn’t require an access token for application-level calls to the API.
Create an API proxy in Edge with "Backend Service URL" as - http://api.usergrid.com/siddharth1/sandbox/restaurants. To protect this new API proxy, you could use the out of the box OAuthV2 policy with Operation as "VerifyAccessToken". Now generate an Access token using any of the OAuth grant types (Ex. a simple Client credentials flow is described here). Once you have the access token, call the protected API proxy by passing the Access Token as part of the Auth header. Ex - "Authorization Bearer <ACCESS_TOKEN>". Please check out our documentation site with detailed steps here.
Answer by Siddharth Barahalikar
·
Apr 09, 2015 at 04:30 AM
Hi @Dino as I said BearerToken was working for me 7days ago. Now neither of them work. I tried multiple times with newly generated accesstoken, still I get the same error which I mentioned in the first post.
Any suggestions about this?
Hi,
Looks like the error ['org.apache.usergrid.rest.exceptions.SecurityException'] indicates its coming form Baas, are you proxying your API Baas? Probably your backend is returning error, and probably because your token to backend is not correct?
Thanks,
Yeah I'm using a proxy to Get data from BaaS. But what is a token to backend? Can you guide me about that, I have no idea about a token to backend.
Thanks
Answer by Siddharth Barahalikar
·
Apr 10, 2015 at 05:21 AM
@mukundha@apigee.com and @Maruti Chand
guys I need one more clarification....8days ago when I got this error ['org.apache.usergrid.rest.exceptions.SecurityException']
I used BearerToken <accesstoken> instead of Bearer <accesstoken> and the error disappeared and I got the requested response.
Why did BearerToken <accesstoken> worked?
adding to @Maruti Chand's comment, There is no auth scheme as 'BearerToken', so the service will ignore whatever you send there,
But 'Bearer' is a valid Oauth auth scheme, so when this header is present, the service tries to validate the request and it fails.
In your case its easier, since you are using sandbox and you don need any credential to API Baas. So in your proxy after the access token is validated, remove the Authorization header before sending to the Baas
Thanks
How can I do this?
////So in your proxy after the access token is validated, remove the Authorization header before sending to the Baas////
you can do this using AssignMessage policy - In Remove section you could remove the headers. Attach this policy in the request flow
<Remove> <Headers> <Header name="Authorization"/> </Headers> </Remove>
Thanks,
Answer by Siddharth Barahalikar
·
Apr 14, 2015 at 09:33 AM
Hi @Maruti Chand,
I've few questions...
curl -v https://api.usergrid.com/siddharth1/sandbox/restaurants -H "Authorization: BearerToken AVDS"
The above code works with/without BearerToken,
Actually my requirement is that my proxy url should be able to hit the BaaS backend and GET the data such as,
curl -v http://siddharth1-test.apigee.net/restaurants -H "Authorization: BearerToken AVDS"
where
Default Proxy Endpoint Base Path - /restaurants
Default Target Endpoint URL - http://api.usergrid.com/siddharth1/sandbox/restaurants
So when I use this cmd...I get the following error.
HTTP/1.1 401 Unauthorized Content-Type: application/json WWW-Authenticate: Bearer realm="null",error='invalid_token",error_description=auth.v2.InvalidAccessToken: Invalid access token" Content-Length: 101 Connection: keep-alive fault":{"faultstring":"Invalid access token","detail":{"errorcode":"oauth.v2.IalidAccessToken"}}}* Connection #0 to host siddharth1-test.apigee.net left intact
So my question is, how can I use OAuth with my Proxy URL having BaaS as my backend.
Answer by Siddharth Barahalikar
·
Apr 14, 2015 at 04:46 PM
curl: (6) Could not resolve host: \ {"fault":{"faultstring":"Invalid access token","detail":{"errorcode":"oauth.v2.I nvalidAccessToken"}}}
Hi @sudheendra1, I followed all the steps, but I'm stilling getting this error.
I've even created a new account and tried it. Still same error.
This OAuth used to work for me few weeks back,now it is not working even after applying the same steps.
Answer by Siddharth Barahalikar
·
Apr 15, 2015 at 06:00 AM
I have attached GenerateToken and VerifyAccessToken proxies have a look..
Answer by Siddharth Barahalikar
·
Apr 15, 2015 at 08:25 AM
Whoa!!...finally it is working.
The same solution was given by @mukundha@apigee.com but I somehow couldn't do it.
@sudheendra1 Thank you for providing the updated proxy.
Answer by Siddharth Barahalikar
·
Apr 17, 2015 at 08:46 AM
Hi @sudheendra1, a simple question....now that OAuth is working for me how can I make it work for a webpage?
I have a webpage where I GET and display the data from sandbox(BaaS). So when I added a OAuth in my proxy, my webpage doesn't get data because of OAuth conflict.
So what I have to do? Every time should I go to APIGEE console and enter access token and only then does the webpage get the data?
What do you want to accomplish?
Ideally you do everything programmatically i.e obtaining access token, calling subsequent APIs with access token etc. You could use your preferred programming language to implement this.
Update AccessTokenPrefix Not Working 1 Answer
How do I validate access token was issued to the client 4 Answers
OAUTH Generate token & Flow Hook 1 Answer
Accessing scopes from Javascript 2 Answers