This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Oauth V2 GenerateAccessToken in response flow

Posted on 01-18-2017 11:48 PM
Not applicable
Reply posted on --/--/---- --:-- AM

I want to generate an access token in the proxy response flow.

As mentioned in Oauth policy documentation I have set the request.header.Authorization to base64(client_id:client_secret) before the Oauth policy execution. Even then it gives me an error like :

{
  "fault": {
    "faultstring":"invalid_request",
    "detail": {
      "errorcode":"invalid_request"
    }
  }
}


My Oauthv2 policy uses external variables for token, expiry time and grant_type as follows :
<OAuthV2 name="OAuth2-generate-token">
  <Operation>GenerateAccessToken</Operation>
  <ExternalAccessToken>flow.idm.accessToken</ExternalAccessToken>
  <StoreToken>true</StoreToken>   
  <SupportedGrantTypes>       
    <GrantType>password</GrantType>    
  </SupportedGrantTypes>    
  <GrantType>flow.grant_type</GrantType>   
  <GenerateResponse enabled="false"/>    
  <ExpiresIn ref="flow.jwt.expiry">3600000</ExpiresIn>
</OAuthV2>
Solved Solved
0 6 1,156
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Feroz_Mahammad
New Member
Reply posted on --/--/---- --:-- AM

@AlayVakil, username and password are required fields for the password grant. Pls pass them and check.

View solution in original post

Jump to Solution
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
Feroz_Mahammad
New Member
Reply posted on --/--/---- --:-- AM

@AlayVakil, username and password are required fields for the password grant. Pls pass them and check.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi Alay,

Just reoccur you error.

{
  "fault": {
    "faultstring": "invalid_request",
    "detail": {
      "errorcode": "invalid_request"
    }
  }
}

I think you have passed the client_id and client_secret parameters, and they are verified succeed.

The issue is duo to config the Oauth parameter flow.grant_type,

<GrantType>flow.grant_type</GrantType>

You configure the GrantType element like the following 

<GrantType>request.formparam.grant_type</GrantType>

This means the inbound request must pass grant_type as request parameter (form urlencoded).

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

@AlayVakil : use below policy for grant type password:

<OAuthV2 name="OAuth-v20-2"> 
  <DisplayName>OAuth-v20-2</DisplayName>
  <Operation>GenerateAccessToken</Operation> 
  <ExpiresIn>360000000</ExpiresIn> 
  <SupportedGrantTypes> 
    <GrantType>password</GrantType> 
  </SupportedGrantTypes> 
  <GrantType>request.queryparam.grant_type</GrantType> 
  <UserName>request.queryparam.username</UserName> 
  <PassWord>request.queryparam.password</PassWord> 
  <GenerateResponse/>
</OAuthV2>

request url would be like below:

(proxy_resource_path)?username=XXXXXX&password=YYYYYY&grant_type=password

set the header Authorization to base64(client_id:client_secret)

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

@AlayVakil

I was in the same boat not long ago, with exactly same invalid_request error. Use 3rd party token is not well implemented and documented. Here is what I got so far to cache an external access token

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="StoreExternalToken">
    <DisplayName>Store External Token</DisplayName>
    <Properties/>
    <Operation>GenerateAccessToken</Operation>
    <SupportedGrantTypes>
        <!-- Only client_credentials is supported for storing external token -->
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GrantType>override_grant_type</GrantType>
    <ExternalAuthorization>true</ExternalAuthorization>
    <ExternalAccessToken>request.formparam.token</ExternalAccessToken>
    <ExpiresIn ref="token_expiration">300000</ExpiresIn>
    <AppEndUser>token_user</AppEndUser>
    <!-- Overwrite scope from external token doesn't work. apigee bug?? -->
    <Scope>token_scope</Scope>
    <Attributes>
        <Attribute name="claims" ref="token_claims"/>
    </Attributes>
    <GenerateResponse enabled="false"/>
    <GenerateErrorResponse enabled="true"/>
    <StoreToken>true</StoreToken>
    <Tokens/>
</OAuthV2>

The "override_grant_type" is a flow variable name, with value of "client_credentials". You can choose your name variable name, but has to be a variable in the OAuth2 policy. I've tried putting a static value but doesn't work. So you will need another policy to set this variable to value "client_credentials".

The "token_scope" is another variable holding the scope value from the external token, but it wasn't able to override the scope of this policy. You will get empty scope for the stored external token, which basically defeat the purpose of using an external token.

I hope apigee folks can shed some light, and address this issue.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
davissean
Staff
In response to
Reply posted on --/--/---- --:-- AM

Hi @Wei Shen,

With regard to the <Scope>, is the value of the scope you are populating part of the Allowed Scopes defined in the API Product?

By adding it there, it should be added to the scope of the Token.

Thanks, Sean

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

@Sean Davis

The value of "token_scope" is subset of allowed scopes in API product.

Jump to Solution
0 Likes