Gen CC token fails after ValidateKey succeeds

I have the following GenToken policy that fails just after the client_id being validated successfully by a ValidateKey step


<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-genClientToken"> 
	<DisplayName>OAuth v2.0-genClientToken</DisplayName> 
	<Operation>GenerateAccessToken</Operation>
	<ClientId>request.queryparam.client_id</ClientId
	<GrantType>request.queryparam.grant_type</GrantType>
	<SupportedGrantTypes> 
		<GrantType>client_credentials</GrantType> 
	</SupportedGrantTypes> 
	<GenerateResponse enabled="false"/> 
</OAuthV2>


I am not clear what could even cause this to happen.

Any help/pointers would be greatly appreciated.

0 1 280
1 REPLY 1

robinm
Participant IV

Hey @terrancedavid

If you could expand on what the error message is, it will be easier to trace the issue.

I would examine whether grant type is indeed being passed correctly.
GenerateAccessToken is fussy in this regard, insisting on obtaining the grant_type from a variable. You could insist the users pass this or use an AssignMessage policy to hardcode the parameter value.

request.queryparam.grant_type

However ....

Assuming the error you are getting is :

{"ErrorCode" : "invalid_client", "Error" :"Client identifier is required"}

then the reason is likely to be that you have not provided the Authorization header.

The policy does not reference the client ID from the <ClientId> tag.

It expects an Authorization header of 'Basic {base64Encoded clientID :clientSecret}'

Update: You can also POST client_id and client_secret as form parameters in the body, e.g.
client_id=QrS96hvxnRY64kvt2Mt4jTMQiaYUnkaZ&client_secret=UmFCc1GmijjO2h3T

I am including two polices that would allow you to generate this on behalf of the caller, but I must point out that in doing this you are bypassing the security provided when you require the user to pass both clientID and clientSecret.

1. verifyKey

<VerifyAPIKey async="false" continueOnError="false" enabled="true" name="tryVerifyAPIkey">
    <DisplayName>tryVerifyAPIkey</DisplayName>
    <Properties/>
    <APIKey ref="request.queryparam.client_id"/>
</VerifyAPIKey>

2. Build a header using verifyKey details

<BasicAuthentication async="false" continueOnError="false" enabled="true" name="BABuildAuthHeader">
    <DisplayName>BA.BuildAuthHeader</DisplayName>
    <Operation>Encode</Operation>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <User ref="request.queryparam.client_id"/>
    <Password ref="verifyapikey.tryVerifyAPIkey.client_secret"/>
    <AssignTo createNew="false">request.header.Authorization</AssignTo>
</BasicAuthentication>

3. Generate the token.

<OAuthV2async="false"continueOnError="false"enabled="true"name="OAuth-v20-genClientToken">
    <DisplayName>OAuth v2.0-genClientToken</DisplayName>
    <Operation>GenerateAccessToken</Operation>
    <GrantType>request.queryparam.grant_type</GrantType>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GenerateResponseenabled="false"/>
</OAuthV2>

Hope this helps.