GenerateErrorResponse in OAuthv2 policy

Hi,

I am using OAuthv2 policy for generating access token. As per policy documentation, if we set GenerateErrorResponse to false, then policy will set flow variable for fault which can be used in subsequent policies.

I have set OAuth policy as below. I passed incorrect client_secret value,

In tracing, i see that OAuth policy has failed and populated

oAuthv2.GenerateAccessToken.Fault.message.

Subsequently, I used Assign message to set response payload populating fault message.

But i get a blank msg in the response json.

Attaching the tracing snapshot as well.

Could someone please help on :

1. what variables get set if generateErrorResponse is set to true in OAuthv2 policy.

2. How to access these variables?

3. Also, as per the trace, oAuthv2.GenerateAccessToken.failed variable value shows false on GenerateAccessToken , but oAuthv2.GenerateAccessToken.failed=true condition gets evaluated successfully. Attaching the snapshot of tracing.

Why does failed property shows false in OAuthV2 policy even though policy failed but condition check of oAuthv2.GenerateAccessToken.failed=true is evaluating to true?

AssignMessage policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="AM-SetInvalidCredentials">
    <DisplayName>AM-SetInvalidCredentials</DisplayName>
    <Set>
        <Payload contentType="application/json">
        {
           "statusCode": "00003",
           "msg":"{oauthV2.GenerateAccessToken.fault.message}"
        }
        </Payload>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</AssignMessage>

OAuth Policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="GenerateAccessToken" continueOnError="false">
    <Operation>GenerateAccessToken</Operation>
    <ExpiresIn>3600000</ExpiresIn>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <!-- <GrantType>request.header.grant_type</GrantType> -->
    <GenerateResponse enabled="false"/>
    <GenerateErrorResponse enabled="true"/>
</OAuthV2>
1 11 730
11 REPLIES 11

Also, if oAuthv2 policy does not enter into "Execution Error" if we do not send grant_type parameter value or send incorrect grant_type in the request.

Due to this, proxy never verifies fault rule condition even though fault rule condition is defined as oauthV2.GenerateAccessToken.failed as true.

If client_secret or client_id value is incorrect, then it enters into Execution Error.

Is there any defect associated with OAuthv2 policy ( for generateAccessToken operation) in regards to this?

Not applicable

@soujanyaedunuri ,

Why are you setting the GenerateErrorResponse enabled to true, if you want the flow variables to be populated?

According to the link,

https://docs.apigee.com/api-services/content/oauthv2-policy#generateerrorresponseelement

If set to true, the policy generates and returns a response if the ContinueOnError attribute is set to true. If false (the default), no response is sent. Instead, a set of flow variables are populated with values related to the policy's function.

So I believe, you should set it to false. Then the flow variables will be populated.

And if you want the fault message, you can use object

oauthV2.GenerateAccessToken.fault.name instead of fault.message

Hi Raunak,

We need to customize the response. So, If set to true, then policy generates response and custom response need to be done through Assign Message policies/Java script. I was trying to use fault rule concept to do that.

If set to false, policy is raises exception & enters into fault rules. But, there seems to be a defect in OAUThv2 policy. In case of incorrect grant_type, the policy is returning 200 OK and there by not entering fault rule scenarios. Also, trace output shows incorrect values for oAuthv2.<<policyname>>.failed. Though policy failed, trace shows failed as false.

Yes, I saw this defect while implementing Oauth V2 policy, if you give an invalid grant type it still gives 200 OK. The way I handled this is creating a conditional flow which checks whether the passed grant type is invalid or not.

<Flows>
<Flow name="Error for invalid grant type">
<Description/>
<Request>
<Step>
<Name>Raise-Fault-for-invalid-grant-type</Name>
</Step>
</Request>
<Response/>
<Condition>request.formparam.grant_type!="password" and request.formparam.grant_type!="refresh_token" </Condition>
</Flow>

As my proxy only accepts password and refresh_token grant type, i included the above condition.

Yes, as you mentioned, this is one workaround to validate grant type before oAuthv2 policy. However, oAuthv2 policy should be throwing the execution error if grant_type is incorrect. This seems to be a defect and also trace variable for failed property does not show correctly. We raised an SR with Apigee on the same.

sydub7
Participant IV

My applogies @soujanyaedunuri as i accidentally deleted my previous answer. But I can confirm your results :

<Payload contentType="application/json" variablePrefix="@" variableSuffix="#">

{

"statusCode": "00003",

"tokenfailed": "@oauthV2.GenerateAccessToken.failed#",

"faultmsg": "@oauthV2.GenerateAccessToken.fault.message#",

"faultname": "@oauthV2.GenerateAccessToken.fault.name#"

}

</Payload>

gives me

{

"statusCode": "00003",

"tokenfailed": "true",

"faultmsg": "",

"faultname": "oauth.v2.InvalidClientIdentifier"

}

For some reason oauthV2.GenerateAccessToken.fault.message in particular gives blank results. Will keep digging and share if I find anything.

Hello @Syd , Im not sure about this, but according to the documentation, there is no variable like

oauthV2.GenerateAccessToken.fault.message populated.

Instead you can use

fault.cause

Hey @Raunak Narooka Thanks for your response. Yes , it not there in documentation. However if you look at the trace oauthV2.GenerateAccessToken.fault.message does get populated. Wondering why it gives blank while other variables returns the value as set by oAuth policy screen-shot-2017-11-01-at-115231-am.png . fault.cause worked just fine. Thanks again.

Yes. Though documentation shows that fault variables are populated if we mark GenerateErrorResponse as false, it does not seem to create any flow variables. Also, there is no change in response from policy whether GenerateErrorResponse is true or false.

guycrets
Participant IV

November 2018 and (still) encounter same issue.

Such a pity that the error message in oAuthv2.<policy>.Fault.message cannot be leveraged.

Strange that this issue (bug?) is still not resolved.

guycrets
Participant IV

Workaround: the message "error" contains field fault.faultstring.

With the following code I can obtain the OAuth2 RFC6749 Error Response:

1. the error (code) from fault.name

2. error _description from error messsage

<VariablePrefix>vidp_err</VariablePrefix>
<Source clearPayload="false">error</Source>
<!-- put oauth2 "error" in variable vidp_err.code -->
<Variable name="fault.name">
	<Pattern>{code}-{code2}</Pattern>
</Variable>
<!-- put oauth2 "error_description" in variable vidp_err.message -->
<JSONPayload>
	<Variable name="message" type="string">
		<JSONPath>$.fault.faultstring</JSONPath>
	</Variable>
</JSONPayload>