Solved: How can I pass the User Name attribute to the Reso...

LinkedIn · 06-18-2016 10:59 PM

anilsr

Source : Answer by @Mike Malloy in S.O here.

When the authorization code is used to generate an access token and refresh token, the attributes from the authorization code are transferred to the new tokens. When an access token is validated using the VerifyAccessToken operation of the OAuthV2 policy, the attributes are made available as flow variables, and any new access tokens that are generated from the refresh token also have these same attributes.

The GetOAuthV2Info policy can also be used to retrieve attributes associated with an access token.

See http://apigee.com/docs/gateway-services/api/oauth-flow-variables for the details of the flow variables generated in each of these cases.

View solution in original post

anilsr

@nir tzur ,

Welcome to Apigee Community 🙂

API Proxy provides all the flexibility to send additional data to your target API without changing server side code. Can you please provide more details regarding your query ? What do you mean by username ? Do you mean end application user name ? App Developer User Name ? What do you mean by Resource Server API ? Is your backend API ? Need more details to better understand your query.

LinkedIn

We configure the following workflow: Oauth-auth-code-flow (3 - Legged Ouath).

After the User authenticate on our login page, we send UserName as attribute on the GenerateAuthorizationCode operation.

We want later on, to get this UserName when the developer calls to our resources,

We didn't find a good reference to how to configure this,

Thanks!

P.S.

The GenerateAuthorizationCode XML:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<Operation>GenerateAuthorizationCode</Operation>

</Attributes>

<Scope>{request.quaryparam.scopes}</Scope>

</OAuthV2>

anilsr

@nir tzur

See similar question asked here in S.O , Let me answer here too so that it will be helpful for others in future.

anilsr

Source : Answer by @Mike Malloy in S.O here.

When the authorization code is used to generate an access token and refresh token, the attributes from the authorization code are transferred to the new tokens. When an access token is validated using the VerifyAccessToken operation of the OAuthV2 policy, the attributes are made available as flow variables, and any new access tokens that are generated from the refresh token also have these same attributes.

The GetOAuthV2Info policy can also be used to retrieve attributes associated with an access token.

See http://apigee.com/docs/gateway-services/api/oauth-flow-variables for the details of the flow variables generated in each of these cases.

anilsr

@nir tzur , Keep us posted if you have any queries.

anilsr

@nir tzur , I have just verified same, it works as expected. If you would like to play with same , You can use this sample OAuth2Advanced bundle that demonstrates exactly your use case. Create an sample API proxy with OAuth2 verify access token policy & add proxy to "webserver-product". Use generated access token from the app to make API call to sample API proxy to verify the username.

PS: Just summarizing, You don't need to do any changes, the attribute is available in your API flow after verifyAccessToken policy. Hope it helps.

anilsr

@nir tzur , Use the flow variable to send the same to resource server api by adding username in query param / header param using Assign Message Policy.

LinkedIn

Hi Anil,

Thanks for the quick answer,

It does not works for me,

Can you share with me your VerifyAccessToken XML,

Maybe I missed some attributes there?

Thnaks,

Nir

p.s.

My VerifyAccessToken is:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<DisplayName>Verify OAuth v2.0 Access Token</DisplayName>

<Operation>VerifyAccessToken</Operation>

</OAuthV2>

anilsr

@nir tzur ,

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="verify-oauth-v2-access-token">
    <DisplayName>Verify OAuth v2.0 Access Token</DisplayName>
    <Operation>VerifyAccessToken</Operation>
</OAuthV2>

Did you verify using Apigee Trace ? What does trace say ? Is call successful ? Did you add API Proxy to same API Product as OAuth ? If you are on cloud, PM me your org name using Ask An Expert button on right side bar, I can check same.

anilsr

My Generate Auth Code,

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateAuthorizationCode">
    <DisplayName>GenerateAuthorizationCode</DisplayName>
    <FaultRules/>
    <Properties/>
    <ClientId>request.queryparam.client_id</ClientId>
    <Attributes>
        <Attribute display="true" name="username" ref="request.queryparam.username">NA</Attribute>
    </Attributes>
    <ExternalAuthorization>false</ExternalAuthorization>
    <Operation>GenerateAuthorizationCode</Operation>
    <RedirectUri>request.queryparam.redirect_uri</RedirectUri>
    <GenerateResponse enabled="true">
        <Format>FORM_PARAM</Format>
    </GenerateResponse>
    <ResponseType>request.queryparam.response_type</ResponseType>
    <ReuseRefreshToken>false</ReuseRefreshToken>
    <Scope>request.queryparam.scope</Scope>
    <SupportedGrantTypes/>
    <Tokens/>
</OAuthV2>

LinkedIn

Hi Anil,

We did the following workflow:

1. GetAuthenticationCode

2. GetAccessToken

Now, we try to use the access token and approach one of our resource, and we get "Invalid Access Token".

So, it even before getting the change to inquire the userID.

We are sending the token we recieve in the custom token option in the authentication in your console.

Any idea?

Thanks!

Attached PS of this issue,

Nir

anilsr

@nir tzur , Seems like there are multiple issues with the API Proxy you have created.

Conditional Flow, Condition checking should be single equal to "=" i have found you have used multiple "==", See reference docs here.
You can actually create multiple API Proxies, I see all APIs has been implmented in single API Proxy. It increases complexity.
Client Id is missing in "OAuth Generate Authorization Code"
Generate Response is missing in "OAuth Generate Authorization Code"
Redirect URI Is missing
Callback URL is wrong in Developer App, Ebay.com is used !!
Invalid verify access token policy
In Proxy End Points, Authorization header is removed before verifyAccessToken !!! Authroization header is required to verify access token, Basically you pass access token in Authorization header !!
Scope reference should be without curly brackets.

<Scope>request.queryparam.scope</Scope>

Let me see how i can improve your proxy to make it better.

LinkedIn

Hi Anil,

We removed the '==', still no luck, we still get 'Invalid Access Token' error message,

1. Should we put the AccessToken on the 'Custom token' Authentication on the Console?

2. Do we need to pass also the client ID etc. or only Access token is needed?

3. Do we need to pass any other params beside the access token (You have our basic VerifyAccessToken)

Thanks!

Nir

anilsr

@nir tzur , There are multiple issues found, please check my comment above. I am working on your proxy. Stay tuned..

anilsr

@nir tzur , Multiple issues found in your API Proxies , Please see list of issues ,

Conditional Flow, Condition checking should be single equal to "=" i have found you have used multiple "==", See reference docs here.
You can actually create multiple API Proxies, I see all APIs has been implmented in single API Proxy. It increases complexity.
Client Id is missing in "OAuth Generate Authorization Code"
Generate Response is missing in "OAuth Generate Authorization Code"
Redirect URI Is missing
Callback URL is wrong in Developer App, Ebay.com is used !!
Invalid verify access token policy
In Proxy End Points, Authorization header is removed before verifyAccessToken !!! Authroization header is required to verify access token, Basically you pass access token in Authorization header !!
Scope reference should be without curly brackets.

<Scope>request.queryparam.scope</Scope>

I have fixed your issues, I have tested using API calls , I can able to make successfull call with token & also see my custom attribute userid.

Please refer our docs for OAuth Implementation. See an example end to end OAuth2 implementation app here.

anilsr

@nir tzur , Just FYI, If you are evaluating Apigee, I strongly suggest to contact our sales team who can help you technically.

LinkedIn

Hi Anis,

Thanks for your efforts,

Also, I noticed your changes,

However, it still does not work,

Any other suggestion?

Was it working for you?

Thanks,

Nir

anilsr

@nir tzur , Yes, It works for me.

What do you mean "It still does not work " ? What have you tried ? At which point it failed for you ? Generate Auth Code ? Generate Access Token ? Verify Access Token ? What is the API call you are making ? Is your APP making right calls to Apigee Edge ? Did you check our docs ? Did you check sample App ?

LinkedIn

Hi Anil

I am Maor and I work with Nir.t

We faild in "Verify Access Token" and get "Invalid access token" error message.

Is our "Verify Access Token" configuration correct? (Meybe the post request in your trace incorect)

Thanks

anilsr

@Maor Akav , Your policy is correct. I have verified the flow. Access Token you are sending might be wrong. That's the reason you see invalid access token.

How did you generate access token ? Let me show you the flow, Check your inbox for meeting invite.

LinkedIn

1. https://maora-test.apigee.net/oauth/GetCode?response_type=code&scopes=read&client_id=ClientID

and I get authentication code

2. https://maora-test.apigee.net/oauth/GetToken?client_id=ClientID&grant_type=authorization_code&client...

and I get token

3. I call to my API with this access token.

anilsr

How did you send access token ? You need to send header ,

Authorization : Bearer {ACCESSTOKEN}

For Example, Authorization : Bearer pLaCJ4VZu5jAItg3ELLKhtgAVzNg

anilsr

CURL call that works for me,

curl -X GET -H "Authorization: Bearer pLaCJ4VZu5jAItg3ELLKhtgAVzNg" -H "Cache-Control: no-cache" -H "Postman-Token: 416a1c72-eac9-3a34-8b0f-1f9ef415f2ee" "http://maora-test.apigee.net"

LinkedIn

Thanks Anis for your answers,

It is working now!!

:)))

Another quick question for you:

Can another APIGee account put my domain as the target domain?

I am asking because, my web service trust APIGee security (Oauth workflow), and I am planning to open my service only for APIGee, but there might be a glich, if a fraud user will open account on APIGee and he will put my WebService there, in this case he will be able to penetrate my WCF,

Thanks,

Maor

anilsr

Awesome, Glad to know @Maor Akav . Great to see lots of smileys 🙂

Regarding , Can another Apigee account put my domain as the target domain?

You can restrict only one particular account of Apigee can talk to your backend by implementing last-mile security using client TLS/SSL, which is also known as 'mutual authentication. All our paid customers implement same to secure their target servers & API calls can be made only from configured Apigee Paid Account. Learn more about same here. It's available only for paid accounts.

If your original query above is resolved, Please click on Accept link below answer so that it will be helpful for others.

If you have any queries moving forward, feel free to post new questions anytime & any number 🙂

How can I pass the User Name attribute to the Resource Server API through the ApiGee getway proxy?