Invalidate External OAuth Access Token

Not applicable

I'm tyring to integrate Google OAuth with Apigee and I have successfully:

  1. Sign in to Google
  2. Grab the id_token from Google and pass it as external access token to Apigee
  3. Access protected resource from Apigee

However, when trying to invalidate the access token upon signing out, Apigee does not completely invalidate the token. It is doing a flip flop between:

  1. Returning the protected resource using an invalidated access token. (Wrong)
  2. Returning an error "access_token_not_approved". (Correct)

Has anyone seen this behaviour before and can shed some light?

0 8 403
8 REPLIES 8

Not applicable

Hi @Alvin Leonard,

Welcome to Apigee community.

Could you provide further detail on how Google OAuth and Edge have been integrated. As token has been issued by Google OAuth, how Edge is becoming aware of this token.

Regards,

Rajesh

Not applicable

Are you verifying Google Access Token before serving the resources ? You will need to invoke the Google token validation API explicitly to do that. You can use Service Callout policy for that. And then based on the result set oauth_external_authorization_status to true or false.

See the details here :

http://docs.apigee.com/api-services/content/use-third-party-oauth-system#howtousethirdpartyoauthonap...

Yes I am verifying the Google token by going to

https://www.googleapis.com/oauth2/v3/tokeninfo

The Google OAuth is not an issue. I can reproduce the same problem even if I remove the Google token validation and use some random token to be stored as external access token.

Not applicable

There are 3 policies in play here:

GenerateAccessToken using external OAuth token and store it.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-Store-External-Token">
    <DisplayName>OAuth v2.0 Store External Token</DisplayName>
    <Attributes/>
    <ExternalAccessToken>request.queryparam.external_access_token</ExternalAccessToken>
    <ExternalAuthorization>true</ExternalAuthorization>
    <Operation>GenerateAccessToken</Operation>
    <GenerateResponse enabled="true"/>
    <StoreToken>true</StoreToken>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <Tokens/>
</OAuthV2>

A policy to invalidate the access token.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="InvalidateOAuthToken">
    <DisplayName>InvalidateOAuthToken</DisplayName>
    <Operation>InvalidateToken</Operation>
    <Tokens>
        <Token type="accesstoken" cascade="true">request.formparam.accesstoken</Token>
    </Tokens>
</OAuthV2>

A policy to verify the token

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyOAuthToken">
    <DisplayName>VerifyOAuthToken</DisplayName>
    <Operation>VerifyAccessToken</Operation>
    <GenerateResponse enabled="true"/>
    <Tokens/>
</OAuthV2>

Not applicable

You need to specify the value of the variable oauth_external_authorization_status to false if any External Token Authorization is failed.

Are you doing this step ?

Yes. I do have code that checks all the details returned by Google before setting the flag to true. If there is a mismatch then it will set it to false.

As I mentioned in the comment above, the issue persists even if I completely remove Google OAuth and use random token.

And the problem is not trying to get an access token but rather invalidate it. Your questions are all related to trying to generate the access token which in my question above is not an issue.

Try setting <StoreToken> to false. It will not store the generated token.

Setting <StoreToken/> to false will never work because as per documented here:

http://docs.apigee.com/api-services/content/use-third-party-oauth-system#howtousethirdpartyoauthonap...

The reason is because by telling Apigee that we are using external oauth token, Apigee itself doesn't generate an access token but rather use the token that we gave in and assign it to the client_id that we specify; hence it must be set to true.

I did try it and I can't even access any protected resource. Again this is still at the point of "GeneratingAccessToken" which I don't think is where the issue lies.

Is there a documentation or samples where a token is invalidated?