This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Invalid Client Identifier when storing external token

Posted on 09-13-2017 01:51 AM
Not applicable
Reply posted on --/--/---- --:-- AM

I'm implementing a flow which takes a bearer access token which is generated by Ping Federate.

The access token is validated by a service call out to Ping which works correctly.

However when I try to store the token in Apigee I get the following error

{ 
	"fault": { 
		"faultstring": "Invalid client identifier {0}",         
		"detail": {
			"errorcode": "oauth.v2.InvalidClientIdentifier" 
		}
	}
}

Below are my two steps after the service call out to store the token

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage name="AssignMessage-SetVariable" continueOnError="false" enabled="true">
    <DisplayName>Assign Message - Set Variable</DisplayName>
    <AssignVariable>
        <Name>oauth_external_authorization_status</Name>
        <Value>true</Value>
    </AssignVariable>
    <AssignVariable>
        <Name>grant_type</Name>
        <Value>client_credentials</Value>
    </AssignVariable>
    <Set>
        <FormParams>
            <FormParam name="client_id">{apigee.client_id}</FormParam>
        </FormParams>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</AssignMessage>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="OAuth-v20-Store-External-Token">
    <DisplayName>OAuth v2.0 1</DisplayName>
    <Attributes>
        <Attribute name="ping_client_id" ref="ping.client_id"/>
    </Attributes>
    <ClientId>apigee.client_id</ClientId>
    <GrantType>grant_type</GrantType>
    <ExternalAccessToken>external_access_token</ExternalAccessToken>
    <ExternalAuthorization>true</ExternalAuthorization>
    <Operation>GenerateAccessToken</Operation>
    <ExpiresIn ref="ping.token.validation.expiresIn">10</ExpiresIn>
    <ReuseRefreshToken>false</ReuseRefreshToken>
    <StoreToken>true</StoreToken>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <Tokens/>
</OAuthV2>

My API proxy is associated with a API Product

The error which shows up as a 500 in the Apigee trace happens in the 'OAuth-v20-Store-External-Token' step.

Any help in resolving this would be much appriciated

Solved Solved
1 10 4,580
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi Tara,

In the below step, have you assigned the external token from Ping to the context variable 'external_access_token'? If not please try setting that and try again. 

<ExternalAccessToken>external_access_token</ExternalAccessToken>

Please do let us know how it goes.

Thanks

Prakash

View solution in original post

Jump to Solution
0 Likes
10 REPLIES 10

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

@Tara McLean You are setting the client_Id as formparam in Assign message and have again it in the oauth policy. Its redundant and not required, just have one of them.

even the grant_type.

Not sure if that's the cause but just an observation.

Refer this answer which worked, https://community.apigee.com/questions/44050/external-authorization-oauth-client-id-error-with.html?...

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to
Reply posted on --/--/---- --:-- AM

Thanks for the reply. I've tried what you suggested and implemented solution in the link.

This seems to work, but I can see in the trace that the property of the step = failed. It does however proceed. Further down in the flow I try to validate against the stored token I get an 'Invalid Access Token' message.

I'm assuming that the token has not been stored correctly.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi Tara,

In the below step, have you assigned the external token from Ping to the context variable 'external_access_token'? If not please try setting that and try again. 

<ExternalAccessToken>external_access_token</ExternalAccessToken>

Please do let us know how it goes.

Thanks

Prakash

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to
Reply posted on --/--/---- --:-- AM

I've doubled checked and the context variable is set correctly. The 'failed' property of the oauthV2policy where I try to set the token is always failed

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to
Reply posted on --/--/---- --:-- AM

Found the cause of the issue. Had configured the client id variable incorrectly so the token ws not being stored.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
davidmehi
Staff
In response to
Reply posted on --/--/---- --:-- AM

Hi Tara, what did you have incorrectly? And what was the correct way to specify the client id?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to davidmehi
Reply posted on --/--/---- --:-- AM

example-of-storing-external-token.zip I've attached my working example of how to store an external access token on Apigee. The important thing is to use the consumer key that you can find in Publish>Apps>YOUR_APP

example-of-storing-external-token.zip
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sushanthshambha
New Member
Reply posted on --/--/---- --:-- AM

hi Tara,

I am also getting the same error where you able to resolve it.

thanks

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to sushanthshambha
Reply posted on --/--/---- --:-- AM

see below, Sushant.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I don't know what's wrong with your setup but this works for me, when "importing" an access token. 

<OAuthV2 name='OAuthV2-ImportAccessToken-CC'>
  <Operation>GenerateAccessToken</Operation>
  <!--
      ExpiresIn, in milliseconds. The ref is optional. The explicitly specified
      value is the default, when the variable reference cannot be resolved.
      1800000 = 30 minutes
      2400000 = 40 minutes
      3600000 = 60 minutes
  -->
  <ExpiresIn ref='flow.variable'>1800000</ExpiresIn>


  <!--
      RefreshTokenExpiresIn, in milliseconds. Optional; if it is not
      specified, the default value will be used which is -1 (no expiration).
      691200000 = 8 days
      2592000000 = 30 days
  -->
  <RefreshTokenExpiresIn>691200000</RefreshTokenExpiresIn>


  <SupportedGrantTypes>
    <!--
        for client_credentials, the client_id and client_secret must be
        passed in , in the Basic Auth header, as per the
        specification.
    -->


    <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>


  <!-- variable that specifies the requested grant type -->
  <GrantType>request.formparam.grant_type</GrantType>


  <!-- variable that specifies the token to be imported -->
  <ExternalAccessToken>request.formparam.access_token</ExternalAccessToken>
  <StoreToken>true</StoreToken>
  <ExternalAuthorization>true</ExternalAuthorization>

  <Attributes>
    <Attribute name='grant_type'
               ref='request.formparam.grant_type'
               display='true'>UNDEFINED</Attribute>
  </Attributes>


  <GenerateResponse enabled='true'/>
 
</OAuthV2>

But there are some other requirements. These variables must be set:

  • request.formparam.client_id - the correct client id
  • request.header.Authorization - the HTTP Basic Auth encoded client_id and secret
  • oauth_external_authorization_status - must be true

I have a working proxy. attached here.

apiproxy-externalaccesstoken-1.zip

Deploy it, then Invoke it like this: 

curl -i -u $client_id:$client_secret https://$ORG-$ENV.apigee.net/externalaccesstoken-1/import -d 'grant_type=client_credentials&access_token=ABCDEFGHIJKL'
apiproxy-externalaccesstoken-1.zip
Jump to Solution
0 Likes