Specifying scope for the verify access token

Not applicable

Hi, we are updating the OauthV2.VerifyAccessToken process on our app to accept tokens of b2b and bearer scope. We looked through documentation and saw that we should add a line that says `<Scope>b2b bearer</Scope>` after `<Operation>VerifyAccessToken</Operation` We did this, but are now not able to make successful calls to our endpoint with either scope. When we test it out in the API console, we get an error that says `401: invalid access token` Any ideas what's causing the error? Here is our code below

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuthV2.VerifyAccessToken">
  <DisplayName>OAuthV2.VerifyAccessToken</DisplayName>
  <Properties/>
  <Attributes/>
  <ExternalAuthorization>false</ExternalAuthorization>
  <Operation>VerifyAccessToken</Operation>
  <Scope>b2b bearer</Scope>
  <SupportedGrantTypes/>
  <GenerateResponse enabled="true"/>
  <Tokens/>
</OAuthV2>
1 3 1,040
3 REPLIES 3

Sorry to hear that you are having trouble.

The token, when it gets issued... what scopes does it have set on it? Can you show me the GenerateAccessToken policy?

You mentioned "b2b" and "bearer". Those are odd names for scopes. Are you sure those are the scope names? Usually the scope names are things like "READ" or "write" or a urn like "http://example.com/collection.read"

Your VerifyAccessToken policy can be very simple, and should look something like this:

<OAuthV2 name="OAuthV2.VerifyAccessToken">
  <Operation>VerifyAccessToken</Operation>
  <Scope>REQUIRED_SCOPE_HERE</Scope>
</OAuthV2>

...and you should replace the REQUIRED_SCOPE_HERE with your required scope, like READ or WRITE, etc.

You don't need the other elements and attributes you showed, when doing token verification.

If the string between <Scope> and </Scope> includes spaces, then ... the policy will interpret that as a list of distinct scopes, and will verify the token if it has ANY of the listed scopes. Therefore a policy like this:

<OAuthV2 name="OAuthV2.VerifyAccessToken">
  <Operation>VerifyAccessToken</Operation>
  <Scope>READ WRITE</Scope>
</OAuthV2>

...will successfully pass the token if the token possesses either READ or WRITE scope, or both. This is usually not what you want.

There is no way, at this moment, to use a single OAuthV2 policy to verify that several scopes are present on a token. There are two "workarounds" I can think of:

  1. use two successive calls to VerifyAccessToken, specifying a single distinct scope in each one. The 2nd VAT policy will always rely on cached data, so will be quite fast. Much less than 1ms. The first policy may also be satisfied from cache, if the token has been seen "recently".
  2. "Manually" check the scope using a Condition to check the token scope with a regex, wrapped around a RaiseFault policy

In the future we may support verifying multiple scopes in a single VerifyAccessToken policy (ref: APIRT-916). We think it is a less common scenario though.

Let me know if this helps...

Hi, your answer was extremely helpful, thank you for responding! We do have the correct scope types and they are meant to be interpreted as a list of distinct scopes. However, another team is in charge of the generate access token policy, and we had to coordinate with them to make the change. Thanks again!

I'm glad to be of help to you. So you have solved the problem? What change did you make in the GenerateAccessToken policy ? I'm curious ...