how can I validate scopes for a client, before generating an OAuth token?

Not applicable

Hi

I am evaluating Apigee for securing APIs via client-credetials flow of Oauth.

In our use case the client will pass "scope" in the request to create access token(/accesstoken).

Apigee proxy should:

1) Do standard oauth validations (validate client-id, secret etc)

2) If step 1 passes, validate scope by calling an external API (deployed outside Apigee environment).

3) If step 2 passes, create an access token for the client.

Please point me to documentation if the above flow is supported.

Thanks!

1 2 940
2 REPLIES 2

Sure, it's supported. I don't know if there's a specific set of documentation for that. But here's how I would do it.

  1. decode the basic auth header. This is the thing that carries the client id and client secret. You really just want the client_id.
  2. Using ServiceCallout, call to the external API that verifies a scope against a client_id. Pass the client_id that was decoded in step 1.
  3. If that passes, call to OAuthV2/GenerateAccessToken. This will implicitly verify the clientid + clientsecret, and will generate and return an access token.

I have an example proxy here. It's not a "working example" because I don't have an external API that validates the scope. But you can swap in your service there.

custom-scope-approval.zip

You could take this as a starting point, add in some FaultRules, or elaborations on how you want to generate the token.

If you need more assistance or if I have misunderstood the question, let me know.

Hi Dino

Thanks a lot for your response. Especially the example code is very helpful.

There is a small issue.

The proxy works as expected if service callout is the first step. In this case remote API is called, token is created and sent to the client.

However, if service callout is the second step, token is created and returned to the client, but the remote API is not called.

==== Works as expected begin ====

<Request>

<Step> <Name>Service-Callout-1</Name> </Step>

<Step> <Name>GenerateAccessTokenClient</Name> </Step>

</Request>

==== Works as expected end ====

==== Remote API is not called begin ====

<Request>

<Step> <Name>GenerateAccessTokenClient</Name> </Step>

<Step> <Name>Service-Callout-1</Name> </Step> <!-- not called -->

</Request>

==== Remote API is not called end ====

remote-api-not-calledxml.txt