I have the following GenToken policy that fails just after the client_id being validated successfully by a ValidateKey step
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-genClientToken"> <DisplayName>OAuth v2.0-genClientToken</DisplayName> <Operation>GenerateAccessToken</Operation> <ClientId>request.queryparam.client_id</ClientId <GrantType>request.queryparam.grant_type</GrantType> <SupportedGrantTypes> <GrantType>client_credentials</GrantType> </SupportedGrantTypes> <GenerateResponse enabled="false"/> </OAuthV2>
I am not clear what could even cause this to happen.
Any help/pointers would be greatly appreciated.
Hey @terrancedavid
If you could expand on what the error message is, it will be easier to trace the issue.
I would examine whether
grant type is indeed being passed correctly.
GenerateAccessToken is fussy in this regard, insisting on obtaining the grant_type from a variable. You could insist the users pass this or use an AssignMessage policy to hardcode the parameter value.
request.queryparam.grant_type
However ....
Assuming the error you are getting is :
{"ErrorCode" : "invalid_client", "Error" :"Client identifier is required"}
then the reason is likely to be that you have not provided the Authorization header.
The policy does not reference the client ID from the <ClientId> tag.
It expects an Authorization header of 'Basic {base64Encoded clientID :clientSecret}'
Update: You can also POST client_id and client_secret as form parameters in the body, e.g.
client_id=QrS96hvxnRY64kvt2Mt4jTMQiaYUnkaZ&client_secret=UmFCc1GmijjO2h3T
I am including two polices that would allow you to generate this on behalf of the caller, but I must point out that in doing this you are bypassing the security provided when you require the user to pass both clientID and clientSecret.
1. verifyKey
<VerifyAPIKey async="false" continueOnError="false" enabled="true" name="tryVerifyAPIkey"> <DisplayName>tryVerifyAPIkey</DisplayName> <Properties/> <APIKey ref="request.queryparam.client_id"/> </VerifyAPIKey>
2. Build a header using verifyKey details
<BasicAuthentication async="false" continueOnError="false" enabled="true" name="BABuildAuthHeader"> <DisplayName>BA.BuildAuthHeader</DisplayName> <Operation>Encode</Operation> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <User ref="request.queryparam.client_id"/> <Password ref="verifyapikey.tryVerifyAPIkey.client_secret"/> <AssignTo createNew="false">request.header.Authorization</AssignTo> </BasicAuthentication>
3. Generate the token.
<OAuthV2async="false"continueOnError="false"enabled="true"name="OAuth-v20-genClientToken"> <DisplayName>OAuth v2.0-genClientToken</DisplayName> <Operation>GenerateAccessToken</Operation> <GrantType>request.queryparam.grant_type</GrantType> <SupportedGrantTypes> <GrantType>client_credentials</GrantType> </SupportedGrantTypes> <GenerateResponseenabled="false"/> </OAuthV2>
Hope this helps.
User | Count |
---|---|
7 | |
2 | |
2 | |
2 | |
1 |