This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How can i use refresh token along with access token created by External Authorization ?

Posted on 07-11-2017 11:52 AM
Not applicable
Reply posted on --/--/---- --:-- AM

I got access_token and refresh token from external authorization (Google ). I used Apigee OAuthV2 policy to generate Apigee token. In another proxy, i created a policy for VerifyAccessToken and it was verified.

Now i want to use refresh_token concept. How can i store refresh_token returned by Google in Generate Access Token Policy ? In documentation, it is written,

"Configure one of these OAuthV2 elements: <ExternalAccessToken>, <ExternalRefreshToken>, or <ExternalAuthorizationCode>. These elements specify a flow variable where Edge should look to find the externally-generated access token, refresh token, or authorization code. It's up to you to implement policies/logic to call the external identity service, determine if the callout succeeded or not, and place the external token in the variable "

Does Apigee generates its own refresh token ? What is the use of ReuseRefreshToken ? And how can i check if token is expired, then invoke refresh token ?

Any advice would be appreciated.

Solved Solved
0 3 1,817
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
willwitman
Staff
Reply posted on --/--/---- --:-- AM

Hi @hughespoc,

You can store the externally generated refresh token the same basic way you store the externally generated access token, but using the <ExternalRefreshToken> attribute, if that's what you want to do. I'd be sure your use case really requires tokens to be generated externally. It'd be easier to manage access/refresh tokens for your API proxy entirely in Edge.

If you've configured OAuthV2 policy to use external tokens, then Edge will not generate new tokens -- you'll have to develop a flow that allows you to go back to the external service to get new tokens when they expire, and then store them once again in Edge.

Per the OAuth2 spec, I believe you can only store refresh tokens if the grant type is either password or authorization code.

Once you have stored an externally generated refresh token, the expiration settings and <ReuseRefreshToken> will work as expected (as documented). When a token expires, the OAuthV2 policy will throw an error like this:

{"fault":{"faultstring":"Access Token expired","detail":{"errorcode":"keymanagement.service.access_token_expired"}}}

You'll have to handle that error and, if necessary, go back to your external service and generate a new token(s), then store store the new token(s) in Edge as before. See also the fault handling doc.

Here's a policy example that I tested -- it stores an external access and refresh token, and sets expiry times, which are honored whenever Edge does a VerifyAccessToken operation:

<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-Store-External-Token">
    <DisplayName>OAuth v2.0 1</DisplayName>
    <ExternalAccessToken>request.queryparam.external_access_token</ExternalAccessToken>
    <ExternalRefreshToken>request.queryparam.external_refresh_token</ExternalRefreshToken>
    <ExternalAuthorization>true</ExternalAuthorization>
    <Operation>GenerateAccessToken</Operation>
    <RefreshTokenExpiresIn>100000</RefreshTokenExpiresIn>
    <ExpiresIn>10000</ExpiresIn>
    <GenerateResponse enabled="true">
        <Format>FORM_PARAM</Format>
    </GenerateResponse>
    <ReuseRefreshToken>false</ReuseRefreshToken>
    <StoreToken>true</StoreToken>
    <SupportedGrantTypes>
        <GrantType>password</GrantType>
    </SupportedGrantTypes>
    <Tokens/>
</OAuthV2>

I hope this extra info helps with your questions. If not, feel free to follow up.

Will

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
willwitman
Staff
Reply posted on --/--/---- --:-- AM

Hi @hughespoc,

You can store the externally generated refresh token the same basic way you store the externally generated access token, but using the <ExternalRefreshToken> attribute, if that's what you want to do. I'd be sure your use case really requires tokens to be generated externally. It'd be easier to manage access/refresh tokens for your API proxy entirely in Edge.

If you've configured OAuthV2 policy to use external tokens, then Edge will not generate new tokens -- you'll have to develop a flow that allows you to go back to the external service to get new tokens when they expire, and then store them once again in Edge.

Per the OAuth2 spec, I believe you can only store refresh tokens if the grant type is either password or authorization code.

Once you have stored an externally generated refresh token, the expiration settings and <ReuseRefreshToken> will work as expected (as documented). When a token expires, the OAuthV2 policy will throw an error like this:

{"fault":{"faultstring":"Access Token expired","detail":{"errorcode":"keymanagement.service.access_token_expired"}}}

You'll have to handle that error and, if necessary, go back to your external service and generate a new token(s), then store store the new token(s) in Edge as before. See also the fault handling doc.

Here's a policy example that I tested -- it stores an external access and refresh token, and sets expiry times, which are honored whenever Edge does a VerifyAccessToken operation:

<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-Store-External-Token">
    <DisplayName>OAuth v2.0 1</DisplayName>
    <ExternalAccessToken>request.queryparam.external_access_token</ExternalAccessToken>
    <ExternalRefreshToken>request.queryparam.external_refresh_token</ExternalRefreshToken>
    <ExternalAuthorization>true</ExternalAuthorization>
    <Operation>GenerateAccessToken</Operation>
    <RefreshTokenExpiresIn>100000</RefreshTokenExpiresIn>
    <ExpiresIn>10000</ExpiresIn>
    <GenerateResponse enabled="true">
        <Format>FORM_PARAM</Format>
    </GenerateResponse>
    <ReuseRefreshToken>false</ReuseRefreshToken>
    <StoreToken>true</StoreToken>
    <SupportedGrantTypes>
        <GrantType>password</GrantType>
    </SupportedGrantTypes>
    <Tokens/>
</OAuthV2>

I hope this extra info helps with your questions. If not, feel free to follow up.

Will

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
In response to willwitman
Reply posted on --/--/---- --:-- AM

Thanks @wwitman for reply.

But how can i fetch ExternalRefreshToken in other proxy. I mean to say when i will make a check in other proxy to verify the token. If below error comes :

{"fault":{"faultstring":"Access Token expired","detail":{"errorcode":"keymanagement.service.access_token_expired"}}}

Then i have to call external service with Refresh token to generate New token. How i can get/fetch this refresh token ?. I stored this token in Apigee policy in other proxy. ( Using the way which you provided)

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
vozniakvol
New Member
In response to willwitman
Reply posted on --/--/---- --:-- AM

hey @Will Witman !

Do you have any suggestions about the question from @hughespoc ?

Jump to Solution
0 Likes