This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Convert token request: from Basic Authentication to Oauth2 with grant type client credentials

Posted on 11-27-2017 05:15 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi

First of all, I somewhat new to the API world so please bear with me.

I am in a situation where I need to try and convert a basic authentication token request to a Oauth2 token request with grant type client credentials. The overall idea is to input client ID and client secret as username and password in the basic authentication and then convert it as intended for a oauth2 (grant type client credential) token request, and get a access token back.


Background info:

I working on a project where an hybrid iOS app is connected to the cloud. The cloud provides a feature that enables a centralize place to store http's endpoint and credentials that is used within the app, so that is not stored in the code. The app has a sync function with the cloud which enables it to see all specified endpoints in the cloud.

So now we wish to integrate a third party API data sources where we wish to declare the endpoints to this data resource through the cloud. The data source uses Oauth2 authentication with grant type client credentials. The cloud does unfortunate not provide the ability to get a access token and send it along to the app through the Oauth2 protocol. But it does with Basic authentication, so that why I wish to try to convert the request here in apigee.

It is important that endpoints and credentials are stored in the cloud and not on the app. The app is allowed to handle a access token.


I hope somebody can provide me with some help, or alternative insight.

0 2 5,922
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Hi! And thanks for the question.

Unfortunately I'm not clear on what you want to do. I need to ask some clarifying questions. You wrote:

I need to try and convert a basic authentication token request to a Oauth2 token request with grant type client credentials.

I think you are saying that there is a backend system that accepts Basic Auth, and you want your app (iOS app) to use OAuth2 tokens. Is that right? Something like this?

6010-screenshot-20171127-173531.png

If so, this is something we call "security credentials mitigation" within Apigee Edge. In more detail, the client app sends a set of credentials to Apigee Edge; the Apigee Edge API Proxy verifies those credentials, then uses a different set of credentials to invoke the backend system .

This is a common pattern.

If this is what you want to do, it's pretty straightforward with Apigee Edge. You need to:

  1. securely store the credentials for the backend system. This is a username/password known by the backend, I guess. Ideally you'd store this in the encrypted KVM in Apigee Edge.
  2. deploy a standard OAuth token dispensing proxy, using client-credentials grant. You can find one here, but this isn't rocket surgery. There are other examples with slightly different payloads.
  3. Create a developer, API Product, and an App belonging to that developer for the API Product. This gets you credentials = client id and client secret.
  4. Invoke the token dispensing proxy with the client id and client_secret in the Authorization header, and grant_type=client_credentials in the form-encoded payload. Get a token back.
  5. Invoke the "other" API Proxy, the facade for your backend, passing the bearer token. In that proxy, use an OAuthV2/VerifyAccessToken policy to verify that the token is good. If so, then do a KVM lookup, assemble the BAsic Auth header with the username + password, assign that to the Authorization header, and then invoke the backend with that header.
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

Hi Dino


Thank you very much for that answer. I see now, that my question is not specific enough. So from inspiration from you, I will try and draw my question in the following figure:

6016-accesstoken-2017-11-28-09-05-58.png

So the circumstances are that I have a iOS app (the client) that only can make token request through the basic authentication protocol, and I have a backend system that only supports token request through the Oauth2 protocol with client credentials. So I need to convert a basic authentication token request made by the app, and convert that to a Oauth2 token request.
If the credentials are valid in the backend system, then I get a Access token in return.

Ideally I would like to just pass the client ID and client secret from the basic authentication request to the oauth2 token request. But I am not entirely sure that is possible. Storing the credentials is an option, but as mention I would like to go with just passing them through the proxy.

I hope this explanation and the figure makes my question much more clear.

0 Likes