is there a verify refresh token policy?

ccovney
Participant V

in the edge oauthV2 policies, I notice there is a verify access token policy; however, there does not seem to be a verify refresh token policy.

i did try to use the verify token policy and use the <refereshToken> element; however, this did not seem to work. here is the policy code i used for this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="true" enabled="true" name="verify-refreshtoken">
    <DisplayName>verify-refreshtoken</DisplayName>
    <FaultRules/>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>false</ExternalAuthorization>
    <Operation>VerifyAccessToken</Operation>
    <SupportedGrantTypes/>
	<RefreshToken>oauth.refresh_token</RefreshToken>
    <GenerateResponse enabled="true"/>
    <Tokens/>
</OAuthV2>

does anyone know how to verify a refresh token using the oauthV2 policies (or any way other than the management server api calls?)

any insight would be very much obliged!

-chris

Solved Solved
2 5 2,127
2 ACCEPTED SOLUTIONS

akoo
Participant V

Hi Chris,

The purpose of refresh token is to get a new access token(and optionally, a new refresh token). This is why there is no verification-only process on refresh tokens, themselves-- only on access tokens.

You can use refresh tokens to generate access tokens as follows. In this process, the refresh token is validated, but the end result is the minting of a new access token:

<OAuthV2 enabled="true" continueOnError="false" async="false" name="GenerateRefreshToken">
    <FaultRules/>
    <Properties/>
    <Operation>RefreshAccessToken</Operation>
    <GrantType>grant_type</GrantType>
    <DisplayName>Generate Access Token Refresh Token Grant</DisplayName>
    <GenerateResponse enabled="false">
        <Format>FORM_PARAM</Format>
    </GenerateResponse>
</OAuthV2>

View solution in original post

well, there is no verify Refresh token policy, if your refresh token is not valid, you wont be able to use it to get AccessToken

The policy snipped you have is not correct, 'SupportedGrantType' will be used when generating Access Token

For eg, to get access token from a refresh token, you could use this policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-1">
    <DisplayName>OAuth v2.0 1</DisplayName>
    <FaultRules/>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>false</ExternalAuthorization>
    <Operation>RefreshAccessToken</Operation>    
    <GenerateResponse enabled="true"/>
</OAuthV2>

This would fail if the refresh token is not valid, Hope this helps

Thanks,

View solution in original post

5 REPLIES 5

Not applicable

Chris,

What your looking for is an operation on the oauth2 policy. see below example

<OAuthV2 name="RefreshAccessToken">
    <Operation>RefreshAccessToken</Operation>
    <!-- This is in millseconds, so expire in half an hour -->
    <ExpiresIn>1800000</ExpiresIn>
    <GrantType>request.queryparam.grant_type</GrantType> 
    <GenerateResponse/>
</OAuthV2>

There is also a refreshtoken tag that allows you to define where the refresh token is coming in on the request too

<RefreshToken>request.queryparam.refreshtoken</RefreshToken>

akoo
Participant V

Hi Chris,

The purpose of refresh token is to get a new access token(and optionally, a new refresh token). This is why there is no verification-only process on refresh tokens, themselves-- only on access tokens.

You can use refresh tokens to generate access tokens as follows. In this process, the refresh token is validated, but the end result is the minting of a new access token:

<OAuthV2 enabled="true" continueOnError="false" async="false" name="GenerateRefreshToken">
    <FaultRules/>
    <Properties/>
    <Operation>RefreshAccessToken</Operation>
    <GrantType>grant_type</GrantType>
    <DisplayName>Generate Access Token Refresh Token Grant</DisplayName>
    <GenerateResponse enabled="false">
        <Format>FORM_PARAM</Format>
    </GenerateResponse>
</OAuthV2>

well, there is no verify Refresh token policy, if your refresh token is not valid, you wont be able to use it to get AccessToken

The policy snipped you have is not correct, 'SupportedGrantType' will be used when generating Access Token

For eg, to get access token from a refresh token, you could use this policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-1">
    <DisplayName>OAuth v2.0 1</DisplayName>
    <FaultRules/>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>false</ExternalAuthorization>
    <Operation>RefreshAccessToken</Operation>    
    <GenerateResponse enabled="true"/>
</OAuthV2>

This would fail if the refresh token is not valid, Hope this helps

Thanks,

Hi Chris -- Sorry you're having trouble. Have you checked out this topic: http://apigee.com/docs/api-services/content/asking-tokens? It explains in detail how to request a new access token using a refresh token, including how to configure your OAuthV2 policy, the REST call, etc. Let me know if that helps.

You could validate a Refresh Token using GetOAuthV2Info.

https://docs.apigee.com/api-platform/reference/policies/get-oauth-v2-info-policy

<GetOAuthV2Infoname="OA-VerifyRefreshToken">
	<RefreshTokenref="request.queryparam.refresh_token"/>
</GetOAuthV2Info>