Why doesn't my generate token OAuth 2.0 policy with authorization grant work without a redirect_uri?

Not applicable

According to Apigee's documentation I should be able to make a call like this to exchange an authorization code for an access token:

$ curl https://{org_name}-test.apigee.net/my_oauth_proxy/accesstoken?code=Xyz123&grant_type=authorization_c... -X POST -d 'client_id=bBGAQrXgivA9lKu7NMPyoYpKNhGar6K&client_secret=hAr4GngA9vAyvI4'

However, when I do it I get an error back. The only way I got it to work was by adding a redirect_uri.

This is my policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="generate-access-token-auth">
    <DisplayName>generate access token - authorization code</DisplayName>
    <Properties/>
    <Attributes>
        <Attribute name="jwt" ref="oauthv2authcode.get-auth-code-info.jwt"/>
        <Attribute name="usernumber" ref="oauthv2authcode.get-auth-code-info.usernumber"/>
    </Attributes>
    <ExternalAuthorization>false</ExternalAuthorization>
    <Operation>GenerateAccessToken</Operation>
    <SupportedGrantTypes>
        <GrantType>authorization_code</GrantType>
    </SupportedGrantTypes>
    <GenerateResponse enabled="false"/>
    <Tokens/>
</OAuthV2>

Where can I make changes to make it work without a redirect_uri?

Solved Solved
1 1 351
1 ACCEPTED SOLUTION

Hi @Friso Denijs --

I think this may be the problem you're seeing...

According to the doc, when generating an auth code, the redirect_uri parameter is optional if a Callback URL is specified in the Developer App associated with the client ID.

Unfortunately, while the doc says (and shows) this is the case for requesting an auth code, the doc is not clear in stating that if the auth code was generated with a redirect_uri parameter (i.e., the Callback URL was not specified in the developer app) then you need to specify the redirect_uri param when you generate an access token (authorization_code grant type).

So, if you use the redirect_uri param to get the auth code, you need to follow suit when you generate the token. If you don't need redirect_uri to get the code (Callback URI is specified in the app), then you also won't need it to get the access token.

I tested this out and found that this appears to be correct, but I'll do some more checking. I believe the doc you linked to is unclear about this and will update it.

Sorry for the confusion. Please let me know if this makes sense and helps.

Best regards,

Will

View solution in original post

1 REPLY 1

Hi @Friso Denijs --

I think this may be the problem you're seeing...

According to the doc, when generating an auth code, the redirect_uri parameter is optional if a Callback URL is specified in the Developer App associated with the client ID.

Unfortunately, while the doc says (and shows) this is the case for requesting an auth code, the doc is not clear in stating that if the auth code was generated with a redirect_uri parameter (i.e., the Callback URL was not specified in the developer app) then you need to specify the redirect_uri param when you generate an access token (authorization_code grant type).

So, if you use the redirect_uri param to get the auth code, you need to follow suit when you generate the token. If you don't need redirect_uri to get the code (Callback URI is specified in the app), then you also won't need it to get the access token.

I tested this out and found that this appears to be correct, but I'll do some more checking. I believe the doc you linked to is unclear about this and will update it.

Sorry for the confusion. Please let me know if this makes sense and helps.

Best regards,

Will