I have an OAuth setup with an external identity provider/manager as discussed in the thread "OAuth with external IdP, with Apigee in the role of client application" (https://community.apigee.com/questions/28209/oauth-with-external-idp-with-apigee-in-the-role-of.html), namely:
So far, so good. This all works.
Now the client wants to refresh the token. Here is the flow:
Most of this is working, except for step 4. No matter what I try, the OAuthV2 RefreshAccessToken policy issues the response {"ErrorCode" : "invalid_client", "Error" :"Client identifier is required"}
This happens whether or not I submit the client_id as a form parameter or query parameter, whether or not I use the <ClientId> element in the policy, and whether or not I set the various ExternalAuthorization and external_authorization_status parameters.
I know that the client ID is valid because there is a VerifyAPIKey policy in the flow before the OAuthV2 policy. (I've tried taking that policy out, which also has no effect.)
If I do a trace, I can see the client_id form parameter with the proper value as part of the request body, right next to the grant_type and refresh_token parameters. But Edge just refuses to see it.
What am I doing wrong?
Solved! Go to Solution.
The RefreshAccessToken takes client_id and client_secret as basic auth header.
http://docs.apigee.com/api-services/content/access-tokens#refreshinganaccesstoken
If you want your request to work over a form param, you can have have this basic auth policy to add the Auth header before OAuth policy is executed: http://docs.apigee.com/api-services/reference/basic-authentication-policy
The RefreshAccessToken takes client_id and client_secret as basic auth header.
http://docs.apigee.com/api-services/content/access-tokens#refreshinganaccesstoken
If you want your request to work over a form param, you can have have this basic auth policy to add the Auth header before OAuth policy is executed: http://docs.apigee.com/api-services/reference/basic-authentication-policy
Thanks, that works. It wasn't clear that the policy is so selective, given the flexibility of the other operations.
Should we update the docs to make it clearer? @Floyd Jones maybe you have a perspective?
Hey @Dino and @pblair - I went ahead and made the docs more obvious by adding a bulleted list in bold for client_id and client_secret in the Authentication section of refreshing an access token. Given that other grant types (implicit) and operations (requesting an auth code) require only client_id, I could see guessing that client_id is all that's needed for refresh as well. Just one of those nuances one needs to learn. Hope the bullets help make it more visual.
@Floyd Jones I'm afraid that as matters stand your revision to the documentation is incorrect. If you try adding client_id and client_secret as form parameters they are not accepted and you get {"ErrorCode" : "invalid_client", "Error" :"Client identifier is required"}. Currently the only format accepted is a basic auth header. Is this a bug?
Follow-on question: I'm getting the token back now, but it includes all the attributes I set in the policy, even though I have display="false" on those attributes.
Is there any way I can keep those attributes from being returned in the token response?
I had a similar issue (with Access Token response). I was seeing the user attributes even if display was false. I did not go into further debugging. I ended up with a javascript policy on the response path to strip those parameters off (the ones I do not want).
Seems like a bug!
User | Count |
---|---|
5 | |
2 | |
2 | |
1 | |
1 |