This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

OAuth External system authentication

Posted on 10-16-2017 03:55 AM
k_prathip
New Member
Reply posted on --/--/---- --:-- AM

I have a login service that takes username and password and calls an external system for authentication. On success authentication I call the OAuth generate access token to generate an access token and send it to the app. This access token is used for other services.

If 2 users from 2 different mobile apps login with their own userid and password and get their respective access_token.

The OAuth token is not tied up to the userId for which it is generated. User2 specific transactions can be triggered using access token generated for user1.

How to mitigate this issue and make sure the OAuth token is used only on transactions that are generated for that specific user.

Solved Solved
0 7 666
Topic Labels
Jump to Solution
0 Likes
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
kengilbert-1
New Member
Reply posted on --/--/---- --:-- AM

Hey Prathip,

It sounds like you may be using the password grant workflow. Aside from verifying the API key/secret before authenticating with your external system, you may want to store an identifying piece of information, such as userid as a custom attribute in the Oauth token.

If your backend doesn't perform any sort of identification, then you could add that validation into Edge. The workflow would look something like this:

  • A token is generated and associated with a userid.
  • The client uses the token to make a request.
  • During the preflow, the token is validated and userid is extracted from the token.
  • When a user specific resource is accessed, perform a conditional check to ensure the userid retrieved from the token matches the resource being accessed.
    • You could use something like a Raise Fault policy step with a condition inside the user specific resource to validate the request before proceeding.

For reference, here's some documentation around using the password grant workflow:

View solution in original post

Jump to Solution
0 Likes
Reply
7 REPLIES 7

Posted on --/--/---- --:-- AM
k_prathip
New Member
Reply posted on --/--/---- --:-- AM

@Anil Sagar

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
kengilbert-1
New Member
Reply posted on --/--/---- --:-- AM

Hey Prathip,

It sounds like you may be using the password grant workflow. Aside from verifying the API key/secret before authenticating with your external system, you may want to store an identifying piece of information, such as userid as a custom attribute in the Oauth token.

If your backend doesn't perform any sort of identification, then you could add that validation into Edge. The workflow would look something like this:

  • A token is generated and associated with a userid.
  • The client uses the token to make a request.
  • During the preflow, the token is validated and userid is extracted from the token.
  • When a user specific resource is accessed, perform a conditional check to ensure the userid retrieved from the token matches the resource being accessed.
    • You could use something like a Raise Fault policy step with a condition inside the user specific resource to validate the request before proceeding.

For reference, here's some documentation around using the password grant workflow:

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
k_prathip
New Member
In response to kengilbert-1
Reply posted on --/--/---- --:-- AM

Thanks @kengilbert. The flow you have mentioned above helps. I am using generate accesstoken in oauth policy to generate the auth token. The policy also saves the auth token for validating further requests.

How to interfere with the auth code generation process and inject user ID related information into the token before it is saved and returned to the calling application.

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
kengilbert-1
New Member
In response to k_prathip
Reply posted on --/--/---- --:-- AM

To set userid as a custom attribute part of the token you could use the attributes element inside the oauth policy that initially generates the token.

<Attributes>
	<Attribute name="userid" ref="VARIABLE_NAME_CONTAINING_USERID"/>
</Attributes>

You can view more about this attributes here.

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
k_prathip
New Member
In response to kengilbert-1
Reply posted on --/--/---- --:-- AM

@kengilbert

This <attributes> adds a new attribute to the response json. Is there a way I can add this information to the access_token itself and decode it when I get back the token.

For instance access_token = access_token + customer_id

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
karthikprabhu77
New Member
Reply posted on --/--/---- --:-- AM

@prathip,

To hide response element in json use display="false".

<Attributes>
<Attributename=”employee_id”ref=”employee.id”display="false"/>
<Attributename=”employee_name”ref=”employee.name”display="false"/>
</Attributes>

Thanks,KP

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
k_prathip
New Member
In response to karthikprabhu77
Reply posted on --/--/---- --:-- AM

@Karthik Prabhu I got this, but my question was more on the opaque oauth token. Can I add my custom logic to the oauth token that Apigee generates so that I can include something like the customer id as part of the oauth token.

Jump to Solution
0 Likes
Reply