Solved: OAuth Scope defined in OAuth Policy

apininja · 04-28-2015 02:40 AM

I am working on an OAuth implementation where one scope is assigned to the access-token by the OAuth GenerateAccessToken policy. Therefore, I have added three scopes to the API product:

 AUTH1, AUTH2, AUTH3

I have added the following XML to the OAuth GenerateAccessToken policy, this should be one of the scopes from the API Product:

<Scope>AUTH2</Scope>

Now, my issue is that the generated access token response does contain all scopes as defined by the API Product:

"scope": "AUTH2 AUTH3 AUTH1"

I expected it to only contain the one Scope as described by the GenerateAccessToken OAuth policy.

Am I doing something wrong here?

hanselm

The OAuthV2 policy with Operation= GenerateAccessToken needs a variable name (typically: request.queryparam.scope) that the calling app supplies.

<OAuthV2 name="OAuth.GenerateAccessToken" enabled="true">
    <Operation>GenerateAccessToken</Operation>
    <GenerateResponse enabled="false"/>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <Scope>request.queryparam.scope</Scope>
</OAuthV2>

At runtime, Apigee Edge then

resolves the variable to a value. This is expected to be a space separated list of scopes.
generates an access token with a scope set that is the intersection of the supplied space-separated scope values and all scopes defined in ALL the apiProducts for which the calling app is registered.

I suspect you are calling the api without the requesting scope, in which case Edge generates the token with ALL scopes from the apiProducts that the app is registered.

View solution in original post

ozanseymen

Scopes in GenerateAccessToken policy are space-delimited - not comma delimited. AND it must be a variable - not a hardcoded string. Perhaps this is the problem. Apigee might be looking for a scope called "AUTH1," (with a comma) in your case and can't find it.

This link explains how generation, configuration and enforcement of scopes work in Apigee.

http://apigee.com/docs/api-services/content/working-scopes

http://apigee.com/docs/api-services/content/oauthv2-policy#scopeelement

apininja

Thanks Ozan. I was using a hardcoded string in the policy. I have changed to refer to a variable and now it works!

hanselm

The OAuthV2 policy with Operation= GenerateAccessToken needs a variable name (typically: request.queryparam.scope) that the calling app supplies.

<OAuthV2 name="OAuth.GenerateAccessToken" enabled="true">
    <Operation>GenerateAccessToken</Operation>
    <GenerateResponse enabled="false"/>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <Scope>request.queryparam.scope</Scope>
</OAuthV2>

At runtime, Apigee Edge then

resolves the variable to a value. This is expected to be a space separated list of scopes.
generates an access token with a scope set that is the intersection of the supplied space-separated scope values and all scopes defined in ALL the apiProducts for which the calling app is registered.

I suspect you are calling the api without the requesting scope, in which case Edge generates the token with ALL scopes from the apiProducts that the app is registered.

sgopalam

Worth to mention that current version of Edge has a bug where if you specify an invalid scope - that is to say, a scope that is not "supported" by any of the products that the developer app is authorized to use - the policy generates and returns a valid token with no scope. Because of this issue, developers should take extra care while verifying the accesstoken to make sure you have the right scopes associated to call the API. The bug is being addressed and should be part of one of the next releases post 15.07.