Solved: "error": "auth_unverified_oath",

sidd-harth · 03-31-2015 08:53 AM

Hi guys, I'm new to apigee and trying to add an OAuth v2.0 to one of my proxy. I saw the foundation videos chapter 6 and followed all the steps.

I've been trying for client_credentials grant type. I got the "access_token" and now I added Oauth v2.0 to my proxy with <Operation>VerifyAccessToken</Operation>.

In API Console I gave header parameter as Authorization and value as Bearer <access_token> and with Get Resource when I click Send....I'm getting error as...

HTTP/1.1 401 Unauthorized
Date:Tue, 31 Mar 2015 15:28:50 GMT
Access-Control-Allow-Origin:*
Content-Length:202
Connection:keep-alive
Content-Type:application/json
Server:Apache-Coyote/1.1
{
  "error": "auth_unverified_oath",
  "timestamp": 1427815730356,
  "duration": 0,
  "exception": "org.apache.usergrid.rest.exceptions.SecurityException",
  "error_description": "Unable to authenticate OAuth credentials"
}

Where did I go wrongs???

sudheendras · 323-cats-oauth-rev1-2015-04-15-rev2-2015-04-15.zip

Thanks! These proxies helped me solve the problem.

All you need to do is to remove the "Authorization" header in your "323-cats-oauth-rev1-2015-04-15" proxy before calling BaaS (i.e. after Verify Token policy). Otherwise BaaS tries to validate the token and eventually fails as it was generated by Edge. Remember BaaS also provides OAuth way of generating/verifying tokens.

You can remove the "Authorization" header using "AssignMessage" policy as below -

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1">
    <DisplayName>Assign Message 1</DisplayName>
    <FaultRules/>
    <Properties/>
    <Remove>
        <Headers>
            <Header name="Authorization"></Header>
        </Headers>
    </Remove>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

I have also attached the updated proxy here.. 323-cats-oauth-rev1-2015-04-15-rev2-2015-04-15.zip

After you generate the Access Token, call this API proxy with "Authorization Bearer <ACCESS_TOKEN>" header.

View solution in original post

Report Inappropriate Content

I would check to make sure the product that you created has the API resource for the resource you were trying to access included. I would also make sure that you removed any extra tags from the oauth2 policy that are un-needed for verification of an access-token.

sidd-harth

Yeah I went through my proxy,resources and oauth2 policy everything is in the right place. What else can cause this error??

Report Inappropriate Content

At this point i feel like it has something todo with your product or a missing character when you pasted your access_token into your header. To rule out an issue with the product you can add a /** to the resources section. I would then double check that your access token matches exactly what was returned for the generate access token call, it is case-sensitive. These are the most common issues you may run across setting this up.

sidd-harth

Well in api console in Header's Value box I entered "BearerToken <access_token>" . Then when I send it, I get the desired response. So instead of "Bearer", "BearerToken" is working for me.

Anyway thank you for making me go through the things twice 🙂

BTW do you have any idea why BearerToken is working instead of Bearer?

DChiesa

Can you show, in full, your OAuthV2 policy that has the VerifyAccessToken operation?

sidd-harth

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-1">
    <DisplayName>OAuth v2.0 1</DisplayName>
    <FaultRules/>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>false</ExternalAuthorization>
    <Operation>VerifyAccessToken</Operation>
    <SupportedGrantTypes/>
    <GenerateResponse enabled="true"/>
    <Tokens/>
</OAuthV2>

Do you need anything else?

sidd-harth

Hi @Dino as I said BearerToken was working for me 7days ago. Now neither of them work. I tried multiple times with newly generated accesstoken, still I get the same error which I mentioned in the first post.

Any suggestions about this?

gnanasekaran

Hi,

Looks like the error ['org.apache.usergrid.rest.exceptions.SecurityException'] indicates its coming form Baas, are you proxying your API Baas? Probably your backend is returning error, and probably because your token to backend is not correct?

Thanks,

sidd-harth

Hi @mukundha@apigee.com,

Yeah I'm using a proxy to Get data from BaaS. But what is a token to backend? Can you guide me about that, I have no idea about a token to backend.

Thanks

Report Inappropriate Content

Thats a good catch @mukundha@apigee.com . @Barahalikar Siddharth, You need to either pass token or client_id,secret while calling Baas if your app is not a sandbox app .

Check this link for more info http://apigee.com/docs/app-services/content/authenticating-users-and-application-clients.

As a best practice always do a curl directly to your Baas resource and see if you can access it before calling from the apiproxy .

sidd-harth

@Maruti Chand, This is what I'm trying to Get through proxy..

https://api.usergrid.com/siddharth1/sandbox/restaurants

This is a sandbox app right?

One more things is this whole OAuth thing worked fine two days ago and since yesterday this is giving me a problem.

My question is why is OAuth not working now which used to work before with the same steps applied?

sidd-harth

@mukundha@apigee.com and @Maruti Chand

guys I need one more clarification....8days ago when I got this error ['org.apache.usergrid.rest.exceptions.SecurityException']

I used BearerToken <accesstoken> instead of Bearer <accesstoken> and the error disappeared and I got the requested response.

Why did BearerToken <accesstoken> worked?

gnanasekaran

adding to @Maruti Chand's comment, There is no auth scheme as 'BearerToken', so the service will ignore whatever you send there,

But 'Bearer' is a valid Oauth auth scheme, so when this header is present, the service tries to validate the request and it fails.

In your case its easier, since you are using sandbox and you don need any credential to API Baas. So in your proxy after the access token is validated, remove the Authorization header before sending to the Baas

Thanks

sidd-harth

@mukundha@apigee.com

How can I do this?

////So in your proxy after the access token is validated, remove the Authorization header before sending to the Baas////

gnanasekaran

you can do this using AssignMessage policy - In Remove section you could remove the headers. Attach this policy in the request flow

    <Remove>
        <Headers>
            <Header name="Authorization"/>
        </Headers>
    </Remove>

Thanks,

Report Inappropriate Content

@Barahalikar Siddharth, few things

For sandbox , if you try the API with any Authorization header without bearer keyword it will work but if you pass Bearer ,BAAS tries to validate and fails .

BearerToken should work even now though it is not required . Can you do a direct curl from your command line and check .

curl -v https://api.usergrid.com/siddharth1/sandbox/restaurants -H "Authorization: Bearer AVDS" // will give you 401

curl -v https://api.usergrid.com/siddharth1/sandbox/restaurants -H "Authorization: BearerToken AVDS" //will work

sidd-harth

Hi @Maruti Chand,

I've few questions...

curl -v https://api.usergrid.com/siddharth1/sandbox/restaurants -H "Authorization: BearerToken AVDS"

The above code works with/without BearerToken,

Actually my requirement is that my proxy url should be able to hit the BaaS backend and GET the data such as,

curl -v http://siddharth1-test.apigee.net/restaurants -H "Authorization: BearerToken AVDS"

where

Default Proxy Endpoint Base Path - /restaurants

Default Target Endpoint URL - http://api.usergrid.com/siddharth1/sandbox/restaurants

So when I use this cmd...I get the following error.

HTTP/1.1 401 Unauthorized
Content-Type: application/json
WWW-Authenticate: Bearer realm="null",error='invalid_token",error_description=auth.v2.InvalidAccessToken: Invalid access token"
Content-Length: 101
Connection: keep-alive


fault":{"faultstring":"Invalid access token","detail":{"errorcode":"oauth.v2.IalidAccessToken"}}}* Connection #0 to host siddharth1-test.apigee.net left intact

So my question is, how can I use OAuth with my Proxy URL having BaaS as my backend.

sudheendras

To keep things simple and make it easier for you to try things out, the "sandbox" application in BaaS has all authentication disabled. That way, it doesn’t require an access token for application-level calls to the API.

Create an API proxy in Edge with "Backend Service URL" as - http://api.usergrid.com/siddharth1/sandbox/restaurants. To protect this new API proxy, you could use the out of the box OAuthV2 policy with Operation as "VerifyAccessToken". Now generate an Access token using any of the OAuth grant types (Ex. a simple Client credentials flow is described here). Once you have the access token, call the protected API proxy by passing the Access Token as part of the Auth header. Ex - "Authorization Bearer <ACCESS_TOKEN>". Please check out our documentation site with detailed steps here.

sidd-harth

curl: (6) Could not resolve host: \
{"fault":{"faultstring":"Invalid access token","detail":{"errorcode":"oauth.v2.I
nvalidAccessToken"}}}

Hi @sudheendra1, I followed all the steps, but I'm stilling getting this error.

I've even created a new account and tried it. Still same error.

This OAuth used to work for me few weeks back,now it is not working even after applying the same steps.

sudheendras

Can you please share your proxies?

sidd-harth · no-target-rev1-2015-04-15.zip

I have attached GenerateToken and VerifyAccessToken proxies have a look..

no-target-rev1-2015-04-15.zip

cats-oauth-rev1-2015-04-15.zip

sudheendras · 323-cats-oauth-rev1-2015-04-15-rev2-2015-04-15.zip

Thanks! These proxies helped me solve the problem.

All you need to do is to remove the "Authorization" header in your "323-cats-oauth-rev1-2015-04-15" proxy before calling BaaS (i.e. after Verify Token policy). Otherwise BaaS tries to validate the token and eventually fails as it was generated by Edge. Remember BaaS also provides OAuth way of generating/verifying tokens.

You can remove the "Authorization" header using "AssignMessage" policy as below -

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1">
    <DisplayName>Assign Message 1</DisplayName>
    <FaultRules/>
    <Properties/>
    <Remove>
        <Headers>
            <Header name="Authorization"></Header>
        </Headers>
    </Remove>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

I have also attached the updated proxy here.. 323-cats-oauth-rev1-2015-04-15-rev2-2015-04-15.zip

After you generate the Access Token, call this API proxy with "Authorization Bearer <ACCESS_TOKEN>" header.

michaelmcdowell

Would it be possible to update the Foundation Training module Connecting Edge to BaaS with this information as the example won't work without this policy applied to the BaaS collection target's PreFlow.

sidd-harth

Whoa!!...finally it is working.

The same solution was given by @mukundha@apigee.com but I somehow couldn't do it.

@sudheendra1 Thank you for providing the updated proxy.

sidd-harth

Hi @sudheendra1, a simple question....now that OAuth is working for me how can I make it work for a webpage?

I have a webpage where I GET and display the data from sandbox(BaaS). So when I added a OAuth in my proxy, my webpage doesn't get data because of OAuth conflict.

So what I have to do? Every time should I go to APIGEE console and enter access token and only then does the webpage get the data?

sudheendras

What do you want to accomplish?

Ideally you do everything programmatically i.e obtaining access token, calling subsequent APIs with access token etc. You could use your preferred programming language to implement this.