Hi
We are using client_credentials flow of Oauth 2.0.
We pass the following in token request:
1) client_id and client-secret as form parameters. Apigee should use these for validation when creating access_token.
2) Second set of credentials in Authorization header. Apigee should ignore Authorization header.
Those are used by our custom code during token creation.
Problem: Apigee reads Authorization header and ignores form parameters (client_id/client_secret). (Though Apigee correctly uses client_id/secret if Authorization header is not passed.)
Question:
How to configure Apigee so it ignores Authorization header and uses client_id and client_secret which are passed as form parameters?
I would appreciate any suggestions.
Regards
Can you add a Assign Message Policy with Remove Authrorization Heade policy before you use Generate Token policy.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1"> <DisplayName>Assign Message-1</DisplayName> <Properties/> <Remove> <Headers> <Header name="Authorization"/> </Headers> </Remove> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> <AssignTo createNew="false" transport="http" type="request"/> </AssignMessage>
Also if you want to preserve the value of the Authorization header to use later, you can set a variable. Something like:
<AssignMessage name="Assign-Message-1"> <AssignVariable> <Name>private.my_preserved_authz_header</Name> <Ref>request.header.authorization</Ref> <Value>BADDBEEF</Value> </AssignVariable> <Remove> <Headers> <Header name="Authorization"/> </Headers> </Remove> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> <AssignTo createNew="false" transport="http" type="request"/> </AssignMessage> <br>
Then, later, if you want, you can restore the Authorization Header with a similar Assignmessage. And that latter AssignMessage might also wipe out the payload, if that's appropriate.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |