Verify both Client id and Client Secret for an API...

Report Inappropriate Content · 06-29-2016 03:11 AM

I am building an API, where I want to validate the Client id and Client secret, which is base64 encoded and passed as Authorisation token. in the Headers, I tried the below Oauth Policy but I am getting an invalid Client Error.

<DisplayName>OA-ClientCredentials</DisplayName> <Operation>GenerateAccessToken</Operation> <StoreToken>false</StoreToken> <ExpiresIn>01</ExpiresIn> <SupportedGrantTypes> <GrantType>password</GrantType> </SupportedGrantTypes> <GenerateResponse enabled="false"/> <GenerateErrorResponse enabled="false"/

anilsr

@Pranay Aitha ,

Please find steps below to resolve your query.

Use Basic Authentication Policy with "Decode" operation to retrieve clientid & secret from Authorization header.
Use Verify API Key Policy to verify Client ID
After above policy execution, client secret will be retrieved based on Client ID and available as flow variable. For more reference check here.
Use flow variable "verifyapikey.{policy_name}.client_secret" & compare with the secret from step 1 to validate client secret
Use a step condition to validate the client secret & raise an error using Raise Fault Policy.

It should be simple & quick to do same. Keep us posted if you see any issues.

sidd-harth

Hi @Pranay Aitha, you can follow what @Anil Sagar has explained. If you need any other methods or clarification, have a look at this post(similar to your question),

validating-both-client-id-and-secret

adas

@Pranay Aitha You can refer to a similar post here, which explains how you can do this with the VerifyAPIKey policy.

Verify both Client id and Client Secret for an API while passing Clientid and Client Secret as Authorisation header