Oauth V2 GenerateAccessToken in response flow
I want to generate an access token in the proxy response flow.
As mentioned in Oauth policy documentation I have set the request.header.Authorization to base64(client_id:client_secret) before the Oauth policy execution. Even then it gives me an error like :
{
"fault": {
"faultstring":"invalid_request",
"detail": {
"errorcode":"invalid_request"
}
}
}
My Oauthv2 policy uses external variables for token, expiry time and grant_type as follows :
<OAuthV2 name="OAuth2-generate-token">
<Operation>GenerateAccessToken</Operation>
<ExternalAccessToken>flow.idm.accessToken</ExternalAccessToken>
<StoreToken>true</StoreToken>
<SupportedGrantTypes>
<GrantType>password</GrantType>
</SupportedGrantTypes>
<GrantType>flow.grant_type</GrantType>
<GenerateResponse enabled="false"/>
<ExpiresIn ref="flow.jwt.expiry">3600000</ExpiresIn>
</OAuthV2>
Best Answer
@AlayVakil, username and password are required fields for the password grant. Pls pass them and check.
Answer by seamaslee
·
Jan 20, 2017 at 05:03 AM
Hi Alay,
Just reoccur you error.
{
"fault": {
"faultstring": "invalid_request",
"detail": {
"errorcode": "invalid_request"
}
}
}
I think you have passed the client_id and client_secret parameters, and they are verified succeed.
The issue is duo to config the Oauth parameter flow.grant_type,
<GrantType>flow.grant_type</GrantType>
You configure the GrantType element like the following
<GrantType>request.formparam.grant_type</GrantType>
This means the inbound request must pass grant_type as request parameter (form urlencoded).
Answer by Sachhida Das
·
Jan 21, 2017 at 03:58 AM
@AlayVakil : use below policy for grant type password:
<OAuthV2 name="OAuth-v20-2">
<DisplayName>OAuth-v20-2</DisplayName>
<Operation>GenerateAccessToken</Operation>
<ExpiresIn>360000000</ExpiresIn>
<SupportedGrantTypes>
<GrantType>password</GrantType>
</SupportedGrantTypes>
<GrantType>request.queryparam.grant_type</GrantType>
<UserName>request.queryparam.username</UserName>
<PassWord>request.queryparam.password</PassWord>
<GenerateResponse/>
</OAuthV2>
request url would be like below:
(proxy_resource_path)?username=XXXXXX&password=YYYYYY&grant_type=password
set the header Authorization to base64(client_id:client_secret)
I was in the same boat not long ago, with exactly same invalid_request error. Use 3rd party token is not well implemented and documented. Here is what I got so far to cache an external access token
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="StoreExternalToken">
<DisplayName>Store External Token</DisplayName>
<Properties/>
<Operation>GenerateAccessToken</Operation>
<SupportedGrantTypes>
<!-- Only client_credentials is supported for storing external token -->
<GrantType>client_credentials</GrantType>
</SupportedGrantTypes>
<GrantType>override_grant_type</GrantType>
<ExternalAuthorization>true</ExternalAuthorization>
<ExternalAccessToken>request.formparam.token</ExternalAccessToken>
<ExpiresIn ref="token_expiration">300000</ExpiresIn>
<AppEndUser>token_user</AppEndUser>
<!-- Overwrite scope from external token doesn't work. apigee bug?? -->
<Scope>token_scope</Scope>
<Attributes>
<Attribute name="claims" ref="token_claims"/>
</Attributes>
<GenerateResponse enabled="false"/>
<GenerateErrorResponse enabled="true"/>
<StoreToken>true</StoreToken>
<Tokens/>
</OAuthV2>
The "override_grant_type" is a flow variable name, with value of "client_credentials". You can choose your name variable name, but has to be a variable in the OAuth2 policy. I've tried putting a static value but doesn't work. So you will need another policy to set this variable to value "client_credentials".
The "token_scope" is another variable holding the scope value from the external token, but it wasn't able to override the scope of this policy. You will get empty scope for the stored external token, which basically defeat the purpose of using an external token.
I hope apigee folks can shed some light, and address this issue.
Hi @Wei Shen,
With regard to the <Scope>, is the value of the scope you are populating part of the Allowed Scopes defined in the API Product?
By adding it there, it should be added to the scope of the Token.
Thanks, Sean
