How to register a third party Access token obtaine...

vednath_pittala · 09-28-2016 11:09 AM

We have our own service implementation for generating access tokens using OAuth. This service is proxied behind apigee. When a client/app needs an access token it sends a request to this proxy. The request contains client_id and client_secret which are Base 64 encoded into Authorization header along with grant_type and optional username, password and access_type in the body. On receiving the request Apigee does Base 64 decode of the Authentication header and authenticates the client_id. On successful authentication of the request by Apigee, Apigee re-encodes the Authentication header and forwards the request to our OAuth service implementation. On successful authentication and authorization the OAuth service responds back with an access token, expiration,and optional refresh_token and expiration of this refresh token. Apigee then uses "GenerateAccessToken" policy to register the access token generated by our OAuth service against the client_id it authenticated earlier. On subsequent requests to access a resource the client sends in this access token which is authenticated by using "VerifyAccessToken" policy on the resource proxy and if authenticated APIGEE forwards the request to the respective resource backend.

This mechanism works as expected with apigee registering the tokens and then validating them on resource access.

But when a client uses a refresh token grant type to get a new Access Token using the same mechanism as above (with the only change being grant_type=refresh_token), Apigee doesn't give any error when forwarding the OAuth response to client but when you take a look at the trace you see the following value

(

oauthV2.Register-External-Token.failed	true

)

But bear in mind no error is raised by Apigee. But when we have to use the access token generated through above mechanism we notice that the policy on resource proxy for "VerifyAccessToken" fails with error "Invalid Access Token" . On further introspection (using the management api call {{mgmt.url}}/v1/o/RetailOrg/oauth2/accesstokens/{token_value}) it was noticed that the access token generated through refresh_token grant_type was not even registered in APIGEE.

To dig deeper I created another proxy with an additional step of registering accesstoken based on grant type. In this proxy if the grant type of the request is either one of "password or client_credential" I register the access token through "GenerateAccessToken" policy but if the grant_type is refresh_token then I try to register the access token through "RefreshAccessToken" policy. The flow works fine when the grant type is one of "password or client_credential" and which passes through "GenerateAccessToken" policy but it fails when the grant type is "refresh_token" and which passes through "RefreshAccessToken" policy with error "Cliet Id is invalid"

How do I tackle this? The revision 1 contains both generateaccesstoken and refreshaccesstoken polcies while revision 3 contains only generateaccesstoken policy. Let me know if you need the curl script for the same.

Thanks,

Vednath

v1-oauth2-rev3-2016-10-05.zip v1-oauth2-rev1-2016-10-05.zip.

vednath_pittala

The proxies are attached to the question

vednath_pittala

@arghya das, @Dino, @Mukundha Madhavan, @sarthak any thoughts on the above? I haven't heard back from anyone on this. Any quick help on this is highly appreciated.

Thanks,

Vednath

DChiesa

Hi Vednath

I'm not clear what the question is.

It seems you have provided an answer to your oauth question. Does that mean you have resolved it?

What is the outstanding question?

I'm not clear because you have asked "any thoughts" in a comment, attached to an answer, to your own question.

what exactly is remaining to be answered?

vednath_pittala

@Dino I meant that doing the above doesn't allow me to register an access token generated by using a refresh token grant type ( the access token that gets generated from client credentials and password grant types is registered without any fuss in APIGEE). It gives me a client id invalid error on refresh token grant code above.

I had provided the code in my answer to separate out issue from it's implementation.

Thanks,

Vednath

santosh_ghalsas

Hi @vednath pittala,

can you please explain the scenario in detail. It will help clearly understand the functionality and then looking into the code will make more sense.

Thanks,

Santosh

vednath_pittala

hi @santosh_ghalsasi . We have our internal OAuth system that generates the Authtoken for us. We have an endpoint configured in APIGEE to send requests to this OAuth system. The clients can receive their Access tokens from this OAuth system using any of the OAuth Grant types. The access token received this way is registered in apigee against the client id and any subsequent requests from this client to access a resource would be accompanied by access token in their Authorization header which would help apigee recognize the client making the request.

The flow works fine for client_credential and password grant types. But when a client makes a refresh token grant type request to get a new access token apigee is unable to register this access token and there by subsequent requests by the client to access a resource are met with an error .

Let me know if you need more details.

Thanks,

Vednath

DChiesa

The import of an external access token - I suppose you are using the OAuthV2 policy with Operation = GenerateAccessToken. You need to have the proper client_id set in the message context in order for this to work. That you do not have the client_id in the expected place is probably why you are seeing an error like "invalid client_id" .

> But when a client makes a refresh token grant type request to get a new access token apigee is unable to register this access token

When Santosh asked "please explain the scenario in detail", I suppose he means:

provide the code for the policies you are using
describe the request messages - what is in the message context

I encourage you to EDIT the original question, rather than supplying the information in an "Answer" to the question. Supply as much detail as you can. We understand the basics: "when a client makes a refresh token grant type request to get a new access token apigee is unable to register this access token." But we need more detail please. Put the detail n the original question.

A good rule is: Use answers for answers. Do not place comments or questions in the Answers here on this forum.

vednath_pittala

@Dino I have attached the proxies and updated the issue description in the question.

vednath_pittala

@Dino

Do you need anything else from my side to get started on this?

How to register a third party Access token obtained by using a third party refresh token