OAuth2 token_type

Report Inappropriate Content · 05-12-2015 01:48 AM

Hi,

I am using casablanca package for OAuth2 ( https://casablanca.codeplex.com/ )

and while running request for access token I got an error:

Error: only 'token_type=bearer' access tokens are currently supported

and after reading this: http://tools.ietf.org/html/rfc6749#section-4.2.2

I realised that the response should contain "token_type":"Bearer”

and not "token_type":"BearerToken” like apigee is returning here:

{

"issued_at" : "1382703699776",

"application_name" : "8586c7b7-2936-4779-b7a6-97014e436d7d",

"scope" : "READ",

"status" : "approved",

"api_product_list" : "[PremiumWeatherAPI]",

"expires_in" : "3599",

"developer.email" : "tesla@weathersample.com",

"organization_id" : "0",

"token_type" : "BearerToken",

"client_id" : "SJOaCEGohSu3vpNswMs5YdBlc2GOAh1J",

"access_token" : "UAj2yiGAcMZGxfN2DhcUbl9v8WsR",

"organization_name" : "myorg",

"refresh_token_expires_in" : "0",

"refresh_count" : "0" }

Could it be that apigee is not returning an OAuth2 standard response ?

Please advise ASAP.

Thanks,

Einat

sidd-harth

Hi @einat.bertenthal, AFAIK Apigee returns an OAuth2 standard response.

Even I get a similar response(token_type) while generating an access_token

.........
"token_type":"BearerToken",
"client_id":"SJOaCEGohSu3vpNswMs5YdBlc2GOAh1J",
......

But while passing the access_token as authorization BearerToken doesn't work only Authorization: Bearer <access_token> works.

I hope this helps you.

Report Inappropriate Content

Hi @Barahalikar Siddharth

Thanks for your answer,

But I was asking only about the token_type in the response.

It should be "Bearer" but Apigee is returning "BearerToken".

according to OAuth2 - the token_type in the response should be "Bearer":

http://tools.ietf.org/html/rfc6750#section-2

You can find this section in the above link:

4. Example Access Token Response

Typically, a bearer token is returned to the client as part of an OAuth 2.0 [RFC6749] access token response.

An example of such a response is:

HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache

{

"access_token":"mF_9.B5f-4.1JqM",

"token_type":"Bearer",

"expires_in":3600,

"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"

}

Report Inappropriate Content

@Barahalikar Siddharth

Former Community Member

Hi @einat.bertenthal I see your point, as per the spec it should be just "Bearer" vs "BearerToken". @Subrak any thoughts on this?

Report Inappropriate Content

Hi @Subrak,

Do you have an answer regarding the "token_type" issue?

Also why all numbers return as strings?

for example : "expires_in" should be 7199 and not "7199".

Thanks,

Einat.

Report Inappropriate Content

Its been while for this post. It wasn't seem OOTB apigee OAuth2 implementation is standard complaint. Is this issue addressed in newer version of apigee, e.g. 4.16.x ?

Report Inappropriate Content

Hi @einat.bertenthal and @Barahalikar Siddharth

I'm running into the same problem trying to use Spring Security OAuth (http://projects.spring.io/spring-security-oauth/). Spring uses token_type from the generate token response to construct the request to the protected resource (api). However, oAuth token validation policy does not recognize "BearerToken" prefix. Just as you described, the token prefix has to be "Bearer".

The only workaround I see at this point is to use <AccessTokenPrefix> to accept prefix "BearerToken" instead of "Bearer". However, it goes against the oAuth2 spec.

I'm curious when it'll be fixed. I'm currently using on-prem version 4.16.01.04

See line 35. accessToken.getTokenType() is the value of the token_type property returned when a new token is generated.

https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main...