Solved: Implementing OAuth - Invalid access token

Report Inappropriate Content · 02-27-2017 02:11 AM

Hello all,

I have been working with the api edge creating several PoCs. Currently, I'm stucked with one prove related with OAuth. Perhaps, you can give us some advice.

I have a proxy that generates a token for the user (https://apigeehost/oauth/). This is the OAuthV2 policy that handles this:

<?xml version="1.0" encoding="UTF-8"
standalone="yes"?><OAuthV2 async="false"
continueOnError="false" enabled="true" name="OA-GenerateAccessToken-Password"> 
<DisplayName>OA-GenerateAccessToken Password</DisplayName> 
<Operation>GenerateAccessToken</Operation> 
<!--<ExternalAccessToken>apigee.access_token</ExternalAccessToken>-->  <!-- This is in
millseconds, so expire in an hour --> 
<ExpiresIn>36000000</ExpiresIn> 
<SupportedGrantTypes> 
<GrantType>password</GrantType> 
</SupportedGrantTypes> 
<GrantType>request.formparam.grant_type</GrantType> 
<UserName>request.formparam.username</UserName> 
<PassWord>request.formparam.password</PassWord> 
<GenerateResponse/> 
<GenerateErrorResponse/>  <Attributes>  <Attribute
name="tc1cookietoken" ref="authenticate.response.content"
display="false"/> 
</Attributes></OAuthV2>

Also, I have a reverse proxy (https://apigeehost/northwind-oauth) that validates the token with this policy:

<?xml version="1.0" encoding="UTF-8"
standalone="yes"?><OAuthV2 async="false"
continueOnError="false" enabled="true"
name="verify-oauth-v2-access-token"> 
<DisplayName>VerifyAccessToken</DisplayName> 
<ExternalAuthorization>false</ExternalAuthorization> 
<Operation>VerifyAccessToken</Operation> 
<SupportedGrantTypes/> 
<GenerateResponse enabled="true"/>  <Tokens/></OAuthV2>

To test it, I make a request to the first proxy with this curl:

curl -X POST -H "Content-Type:
application/x-www-form-urlencoded" -H "apikey:
1kT9GI3inQYTzobMP75nfqkcA0LgKeC9" -H "Cache-Control: no-cache"
-H "Postman-Token: 02a854d8-9ed4-bd92-754f-1c50b7715eb4" -d
'grant_type=password&username={username}&password={password}&client_secret={secret}&client_id={client_id}'
https://apigeehost/oauth/token

I receive this response:

{ 
"issued_at": "1488179577189",  "scope":
"", 
"application_name": "89a2ff29-fee8-4880-a998-1a6495b37706", 
"refresh_token_issued_at": "1488179577189",  "status":
"approved", 
"refresh_token_status": "approved", 
"expires_in": "35999", 
"token_type": "BearerToken", 
"refresh_token": "Xpum9GAtS9X47Vl5GDsRr6K0zHS5iVBG",  "client_id":
"1kT9GI3inQYTzobMP75nfqkcA0LgKeC9", 
"access_token": "EPoAvqpGAaN5pxPHUmz4Z9HMir46", 
"refresh_token_expires_in": "0", 
"refresh_count": "0"}

Then, I make a request to the second proxy with the access_token.

curl -X GET -H "Authorization: Bearer
EPoAvqpGAaN5pxPHUmz4Z9HMir46" -H "Cache-Control: no-cache" -H
"Postman-Token: b50f7f5d-b539-91ff-02a0-b33396110463"
"https://apigeehost/northwind-oauth/v1/product "

The problem is that I get this response:

{  "fault": { 
"faultstring": "Invalid access token", 
"detail": { 
"errorcode": "oauth.v2.InvalidAccessToken"  }  }}

I reviewed all the parameters and I tried to change some of them (for example, change the validate OAuth policy to read the token from the query parameters) but I'm not able to make it works. I'm sure that the problem should be a small detail, but I can’t find it. Could you help me with this?

Thank you very much.

anilsr · oauthpassword-rev1-2017-02-27.zip

@Raúl Linares

I have quickly tested this on cloud & works as expected. Find steps below that worked for me.

Note : I am not validating user credentials in below steps. You might need to do that before generating token.

Step 1: Create a proxy that generates token.

oauthpassword-rev1-2017-02-27.zip

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="GetAccessToken">
    <Operation>GenerateAccessToken</Operation>
    <ExpiresIn>360000000</ExpiresIn>
    <SupportedGrantTypes>
        <GrantType>password</GrantType>
    </SupportedGrantTypes>
    <GrantType>request.formparam.grant_type</GrantType>
    <UserName>request.formparam.username</UserName>
    <PassWord>request.formparam.password</PassWord>
    <GenerateResponse/>
</OAuthV2>

Step 2 : Create a proxy that validates token

oauthprotected-rev1-2017-02-27.zip

Step 3 : Create an API Product with above proxies.

Step 4 : Create an App

Step 5 : Generate Token using above app credentials.

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic WU83NWNJM0dFU2o0OUpuSmRJOUZteUFRVmRPNVJyeUw6QWlyYVI2MEl3aGVNaFkyZA==" -H "Cache-Control: no-cache" -H "Postman-Token: 4a55b877-a6c1-d8e3-fda6-1920b2d90439" -d 'grant_type=password&username=anil&password=hello' "http://demo-au04-test.apigee.net/oauthpassword/token"

Step 6 : Make call to protected resource

curl -X GET -H "Authorization: Bearer wzBsFugqQBXuwjGuI39AHCvGACOB" -H "Cache-Control: no-cache" -H "Postman-Token: 9a703e84-6ef0-d3e4-3d0b-d5c2f7a66274" "http://demo-au04-test.apigee.net/oauthprotected"

I got 200 response & access token worked for me. You can try using above proxies & calls. It should work. Hope it helps. Keep us posted.

View solution in original post

anilsr

@Raúl Linares , Are you sure you have selected right environments in API Product & APP Keys are not expired ? It's very difficult to understand & debug with above information in community. Need more details.

Report Inappropriate Content

Hello Anil. Thank you for your response. Currently I'm using the TEST environment for everything. PRO is not deployed yet. The API product has access to the proxies in both test and pro environments. Also, API Product and Keys are not expired. This is why I thought that the problem should be a mistake in my policies.

anilsr · oauthpassword-rev1-2017-02-27.zip