This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to access an API using access token generated through OAuth policy.

Posted on 08-24-2017 02:11 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Actually I have generated an access token using OAuth 2.0. Now I am trying to access that

API proxy using access token by giving

Authorization:Bearer ABCDEFGHIJKL in the header.

I am getting error as follows:

{

"error": "auth_bad_access_token",

"timestamp": 1503488348244,

"duration": 0,

"error_description": "Unable to authenticate due to corrupt access token",

"exception": "org.apache.usergrid.rest.exceptions.SecurityException"

}

Please help me to resolve the issue.

Thanks & Regards.

0 2 550
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM

Hi @A.Anu Manasa - Are you trying to access resources from a BaaS collection with a token minted by Apigee Edge ?

0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

First, the token "ABCDEFGHIJKL" is not likely to be valid. I'm not sure if you are REALLY passing that as the token value, or you are using that as an example string. If that is what you are REALLY passing, it probably won't work.

Second, the response that you showed in your question seems to be geenrated by Usergrid/BaaS. If that is the case, how are you invoking Usergrid/BaaS ? What is the full request you are sending? How did you obtain the token you are sending to usergrid/BaaS ?

Some background: There are two subsystems within Apigee Edge that handle OAuthV2 tokens:

  • the Apigee Edge Key Management system
  • Apigee Edge BaaS

You may be aware that Apigee Edge BaaS was originally a produce called "Usergrid" that Apigee acquired, and rolled into the Apigee Edge product. Usergrid/BaaS exposes a RESTful interface for simple CRUD operations. You do not need to use an APigee Edge proxy in order to access Usergrid/BaaS. As a self-standing product, Usergrid/BaaS can issue tokens, and can verify/validate tokens presented in requests.

There is a separate, independent system within Apigee Edge that allows you to "wrap" any existing API with an OAuthV2 facade. Within the Apigee Edge product, this is implemented by what we have called the "Key Management System". When you create an API Proxy that calls the OAuthV2 policy with Operation = GenerateAccessToken, you are using the KMS. When you execute an API Proxy that calls the OAuthV2 policy with Operation = VerifyAccessToken, you are using the KMS. This is intended to allow API teams to wrap OAuthV2 protection around any (possibly insecure) API.

The two systems I just described are completely independent. Tokens issued by the Apigee Edge KMS are not known to BaaS, and if presented to BaaS, will be rejected as invalid. And tokens issued by BaaS will not be known to the Apigee Edge KMS.

It is possible to build an API Proxy in Apigee Edge that wraps Usergrid/BaaS. In other words, BaaS is the target. And it is possible that the API Proxy will include an OAuthV2 policy that uses Operation = VerifyAccessToken. To make a successful call to the proxy, a client would need to pass a Bearer token in the Authorization Header. The VerifyAccessToken might pass that token. But upon passing the request to the target, unless you include a step to remove the token, the same token will be passed to BaaS. As I described above, the token that is known and valid to Apigee Edge KMS will not be known and valid to Apigee BaaS. Is it possible this is the scenario you have? It might explain the error message you see.

0 Likes