I got access_token and refresh token from external authorization (Google ). I used Apigee OAuthV2 policy to generate Apigee token. In another proxy, i created a policy for VerifyAccessToken and it was verified.
Now i want to use refresh_token concept. How can i store refresh_token returned by Google in Generate Access Token Policy ? In documentation, it is written,
"Configure one of these OAuthV2 elements: <ExternalAccessToken>
, <ExternalRefreshToken>
, or <ExternalAuthorizationCode>
. These elements specify a flow variable
where Edge should look to find the externally-generated access token,
refresh token, or authorization code. It's up to you to implement
policies/logic to call the external identity service, determine if the
callout succeeded or not, and place the external token in the variable "
Does Apigee generates its own refresh token ? What is the use of ReuseRefreshToken ? And how can i check if token is expired, then invoke refresh token ?
Any advice would be appreciated.
Solved! Go to Solution.
Hi @hughespoc,
You can store the externally generated refresh token the same basic way you store the externally generated access token, but using the <ExternalRefreshToken> attribute, if that's what you want to do. I'd be sure your use case really requires tokens to be generated externally. It'd be easier to manage access/refresh tokens for your API proxy entirely in Edge.
If you've configured OAuthV2 policy to use external tokens, then Edge will not generate new tokens -- you'll have to develop a flow that allows you to go back to the external service to get new tokens when they expire, and then store them once again in Edge.
Per the OAuth2 spec, I believe you can only store refresh tokens if the grant type is either password or authorization code.
Once you have stored an externally generated refresh token, the expiration settings and <ReuseRefreshToken> will work as expected (as documented). When a token expires, the OAuthV2 policy will throw an error like this:
{"fault":{"faultstring":"Access Token expired","detail":{"errorcode":"keymanagement.service.access_token_expired"}}}
You'll have to handle that error and, if necessary, go back to your external service and generate a new token(s), then store store the new token(s) in Edge as before. See also the fault handling doc.
Here's a policy example that I tested -- it stores an external access and refresh token, and sets expiry times, which are honored whenever Edge does a VerifyAccessToken operation:
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-Store-External-Token"> <DisplayName>OAuth v2.0 1</DisplayName> <ExternalAccessToken>request.queryparam.external_access_token</ExternalAccessToken> <ExternalRefreshToken>request.queryparam.external_refresh_token</ExternalRefreshToken> <ExternalAuthorization>true</ExternalAuthorization> <Operation>GenerateAccessToken</Operation> <RefreshTokenExpiresIn>100000</RefreshTokenExpiresIn> <ExpiresIn>10000</ExpiresIn> <GenerateResponse enabled="true"> <Format>FORM_PARAM</Format> </GenerateResponse> <ReuseRefreshToken>false</ReuseRefreshToken> <StoreToken>true</StoreToken> <SupportedGrantTypes> <GrantType>password</GrantType> </SupportedGrantTypes> <Tokens/> </OAuthV2>
I hope this extra info helps with your questions. If not, feel free to follow up.
Will
Hi @hughespoc,
You can store the externally generated refresh token the same basic way you store the externally generated access token, but using the <ExternalRefreshToken> attribute, if that's what you want to do. I'd be sure your use case really requires tokens to be generated externally. It'd be easier to manage access/refresh tokens for your API proxy entirely in Edge.
If you've configured OAuthV2 policy to use external tokens, then Edge will not generate new tokens -- you'll have to develop a flow that allows you to go back to the external service to get new tokens when they expire, and then store them once again in Edge.
Per the OAuth2 spec, I believe you can only store refresh tokens if the grant type is either password or authorization code.
Once you have stored an externally generated refresh token, the expiration settings and <ReuseRefreshToken> will work as expected (as documented). When a token expires, the OAuthV2 policy will throw an error like this:
{"fault":{"faultstring":"Access Token expired","detail":{"errorcode":"keymanagement.service.access_token_expired"}}}
You'll have to handle that error and, if necessary, go back to your external service and generate a new token(s), then store store the new token(s) in Edge as before. See also the fault handling doc.
Here's a policy example that I tested -- it stores an external access and refresh token, and sets expiry times, which are honored whenever Edge does a VerifyAccessToken operation:
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-Store-External-Token"> <DisplayName>OAuth v2.0 1</DisplayName> <ExternalAccessToken>request.queryparam.external_access_token</ExternalAccessToken> <ExternalRefreshToken>request.queryparam.external_refresh_token</ExternalRefreshToken> <ExternalAuthorization>true</ExternalAuthorization> <Operation>GenerateAccessToken</Operation> <RefreshTokenExpiresIn>100000</RefreshTokenExpiresIn> <ExpiresIn>10000</ExpiresIn> <GenerateResponse enabled="true"> <Format>FORM_PARAM</Format> </GenerateResponse> <ReuseRefreshToken>false</ReuseRefreshToken> <StoreToken>true</StoreToken> <SupportedGrantTypes> <GrantType>password</GrantType> </SupportedGrantTypes> <Tokens/> </OAuthV2>
I hope this extra info helps with your questions. If not, feel free to follow up.
Will
Thanks @wwitman for reply.
But how can i fetch ExternalRefreshToken in other proxy. I mean to say when i will make a check in other proxy to verify the token. If below error comes :
{"fault":{"faultstring":"Access Token expired","detail":{"errorcode":"keymanagement.service.access_token_expired"}}}
Then i have to call external service with Refresh token to generate New token. How i can get/fetch this refresh token ?. I stored this token in Apigee policy in other proxy. ( Using the way which you provided)
hey @Will Witman !
Do you have any suggestions about the question from @hughespoc ?
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |