Can I set Scope in "GenerateAuthCode" operation?

edu4krishanu · 09-18-2017 01:49 PM

3 legged oauth

=======================

My OAuthV2 policy with GenerateAuthorizationCode operation looks like below. I am setting scope as "Developer" for the auth code. In the next resource call, I am generating access token associated with the auth code. Before generating the access token I added a policy GetOAuthV2Info to retrieve the "Scope" so that I can associate scope with the access token. But I am getting the blank value using the variable {oauthv2authcode.GetOAuthv20InfoForScope.scope}

Am i supposed to set scope variable? In the documentation, I can see scope variable

Authorization code variables

These variables are populated when the AuthorizationCode element is set:

oauthv2authcode.{policy_name}.code
oauthv2authcode.{policy_name}.scope       
oauthv2authcode.{policy_name}.redirect_uri 
oauthv2authcode.{policy_name}.client_id
oauthv2authcode.{policy_name}.{auth_code_custom_attribute_name}

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateAuthCode">
    <DisplayName>GenerateAuthCode</DisplayName>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>false</ExternalAuthorization>
    <ResponseType>request.queryparam.response_type</ResponseType>
    <ClientId>request.queryparam.client_id</ClientId>
    <Operation>GenerateAuthorizationCode</Operation>
    <GenerateResponse enabled="true">
        <Format>FORM_PARAM</Format>
    </GenerateResponse>
    <Attributes>
        <Attribute name="abc" ref="saml.subject" display="true"/>
    </Attributes>
    <Scope>Developer</Scope>
    <ExpiresIn>600000</ExpiresIn>
    <SupportedGrantTypes/>
    <Tokens/>
</OAuthV2>

edu4krishanu

After Adding "Developer" as scope of one of the product I can see the {oauthv2authcode.GetOAuthv20InfoForScope.scope} variable populated with correct value.

My question is, If I have to get the scope value from a flow variable, how can I do it?

sreenivas_sp

hi @Krish,

please refer to this document : http://docs.apigee.com/api-services/content/oauthv2-policy

found it very helpful in a similar situation for me.

This might help you also.

Regards,

Sreenivas S P

Report Inappropriate Content

@Krish,

Value of 'Scope' is only assigned if this scope is available with App who is making the request. Note that scope of App is collections of scope assigned to all of its API Products.

After you added this scope to one of the product, it was available to be assigned once requested. Ref doc for further detail.

Regarding reading 'scope' from a flow variable, this is like any other variable. Ref doc.

Cheers,

edu4krishanu

@rdoda Can i assign scope on the fly? If my flow variable's value is added as scope in one of the product then the scope is applied to the token otherwise it is not. I want to externalize the scope control by another application which is authorizing the user(for 3 legged oauth). So in the SAML response, the external application will send all the roles a user is assigned and those roles will be added as scopes for the access token.

How can i acieve that?

Report Inappropriate Content

Yeah, it should be possible. Configure variable name 'varname' as part of the "Scope" as given below rather than hardcoding it:
<Scope>varname</Scope>

value of 'varname' variable will be used to assign scope to token.

edu4krishanu

@rdoda If varname=A then scope is set as "A" only when the product has a scope "A". If product doesn't have "A" scope no value is set with <Scope>varname</Scope>. My question is can i set "A" as scope when product's scope is something else?

Report Inappropriate Content

@Krish, No. This will violates the purpose of scope. Purpose of Scope is to provide privileges to the API client (via API product and App mechansim).