This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee doesn't seem to support the OAuth 2 specification, is there a reason why?

Posted on 09-08-2014 04:19 PM
Not applicable
Reply posted on --/--/---- --:-- AM

This question was originally asked in Stack Overflow here. The text of the question and a summary of the answer are below.

We're making requests for bearer tokens using client_credentials OAuth 2 grant flow with Apigee. According to the spec:

4.4.2.  Access Token Request

   The client makes a request to the token endpoint by adding the
   following parameters using the "application/x-www-form-urlencoded"
   format per Appendix B with a character encoding of UTF-8 in the HTTP
   request entity-body:

   grant_type
         REQUIRED.  Value MUST be set to "client_credentials".

If we make a call however we get an error like this:

{"ErrorCode" : "invalid_request", "Error" :"Required param : grant_type"}

It seems that using Apigee we have to send grant_type as a query parameter.

Why is this? We have clients of Apigee that are unable to use OAuth libraries in their language of choice because of the way that Apigee deals with OAuth 2, and it would be good to know if there is by-design or not.

In addition it doesn't seem like it supports grant_type in the post body and sending id and key using basic auth.

Solved Solved
0 1 1,196
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Turns out you do not need to send in grant_type as a query parameter. There is a <GrantType>element in your GenerateAccessToken policy that takes in a variable. For instance, I can use the following:

<OAuthV2 name="GenerateAccessToken">
  <DisplayName>GenerateAccessToken</DisplayName>
  <FaultRules/>
  <Properties/>
  <!-- This policy generates an OAuth 2.0 access token using the password grant type -->
  <Operation>GenerateAccessToken</Operation>
  <!-- This is in millseconds -->
  <ExpiresIn>1800000</ExpiresIn>
  <Attributes/>
  <SupportedGrantTypes>
    <GrantType>password</GrantType>
  </SupportedGrantTypes>
  <GenerateResponse enabled="false">
   <Format>FORM_PARAM</Format>
  </GenerateResponse>
  <GrantType>user.grant_type</GrantType>
  <UserName>request.header.username</UserName>
  <PassWord>request.header.password</PassWord>
</OAuthV2>

In this example, the grant_type is passed in as user.grant_type. But user.grant_type can be anything-- header, query param, form param, or even a hard-coded value. This way, you (the developer) are provided maximum flexibility on how you want to send in the grant_type.

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Turns out you do not need to send in grant_type as a query parameter. There is a <GrantType>element in your GenerateAccessToken policy that takes in a variable. For instance, I can use the following:

<OAuthV2 name="GenerateAccessToken">
  <DisplayName>GenerateAccessToken</DisplayName>
  <FaultRules/>
  <Properties/>
  <!-- This policy generates an OAuth 2.0 access token using the password grant type -->
  <Operation>GenerateAccessToken</Operation>
  <!-- This is in millseconds -->
  <ExpiresIn>1800000</ExpiresIn>
  <Attributes/>
  <SupportedGrantTypes>
    <GrantType>password</GrantType>
  </SupportedGrantTypes>
  <GenerateResponse enabled="false">
   <Format>FORM_PARAM</Format>
  </GenerateResponse>
  <GrantType>user.grant_type</GrantType>
  <UserName>request.header.username</UserName>
  <PassWord>request.header.password</PassWord>
</OAuthV2>

In this example, the grant_type is passed in as user.grant_type. But user.grant_type can be anything-- header, query param, form param, or even a hard-coded value. This way, you (the developer) are provided maximum flexibility on how you want to send in the grant_type.

Jump to Solution