I have a login service that takes username and password and calls an external system for authentication. On success authentication I call the OAuth generate access token to generate an access token and send it to the app. This access token is used for other services.
If 2 users from 2 different mobile apps login with their own userid and password and get their respective access_token.
The OAuth token is not tied up to the userId for which it is generated. User2 specific transactions can be triggered using access token generated for user1.
How to mitigate this issue and make sure the OAuth token is used only on transactions that are generated for that specific user.
Solved! Go to Solution.
Hey Prathip,
It sounds like you may be using the password grant workflow. Aside from verifying the API key/secret before authenticating with your external system, you may want to store an identifying piece of information, such as userid as a custom attribute in the Oauth token.
If your backend doesn't perform any sort of identification, then you could add that validation into Edge. The workflow would look something like this:
For reference, here's some documentation around using the password grant workflow:
Hey Prathip,
It sounds like you may be using the password grant workflow. Aside from verifying the API key/secret before authenticating with your external system, you may want to store an identifying piece of information, such as userid as a custom attribute in the Oauth token.
If your backend doesn't perform any sort of identification, then you could add that validation into Edge. The workflow would look something like this:
For reference, here's some documentation around using the password grant workflow:
Thanks @kengilbert. The flow you have mentioned above helps. I am using generate accesstoken in oauth policy to generate the auth token. The policy also saves the auth token for validating further requests.
How to interfere with the auth code generation process and inject user ID related information into the token before it is saved and returned to the calling application.
To set userid as a custom attribute part of the token you could use the attributes element inside the oauth policy that initially generates the token.
<Attributes> <Attribute name="userid" ref="VARIABLE_NAME_CONTAINING_USERID"/> </Attributes>
You can view more about this attributes here.
@prathip,
To hide response element in json use display="false".
<Attributes> <Attributename=”employee_id”ref=”employee.id”display="false"/> <Attributename=”employee_name”ref=”employee.name”display="false"/> </Attributes>
Thanks,KP
@Karthik Prabhu I got this, but my question was more on the opaque oauth token. Can I add my custom logic to the oauth token that Apigee generates so that I can include something like the customer id as part of the oauth token.
User | Count |
---|---|
3 | |
2 | |
1 | |
1 | |
1 |