This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

configure Apigee to ignore Authorization Header

Posted on 02-16-2018 03:17 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi

We are using client_credentials flow of Oauth 2.0.

We pass the following in token request:

1) client_id and client-secret as form parameters. Apigee should use these for validation when creating access_token.

2) Second set of credentials in Authorization header. Apigee should ignore Authorization header.

Those are used by our custom code during token creation.

Problem: Apigee reads Authorization header and ignores form parameters (client_id/client_secret). (Though Apigee correctly uses client_id/secret if Authorization header is not passed.)

Question:

How to configure Apigee so it ignores Authorization header and uses client_id and client_secret which are passed as form parameters?

I would appreciate any suggestions.

Regards

0 2 710
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
rajeshmi
Staff
Reply posted on --/--/---- --:-- AM

Can you add a Assign Message Policy with Remove Authrorization Heade policy before you use Generate Token policy.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1">
    <DisplayName>Assign Message-1</DisplayName>
    <Properties/>
    <Remove>
        <Headers>
            <Header name="Authorization"/>
        </Headers>
    </Remove>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>
0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to rajeshmi
Reply posted on --/--/---- --:-- AM

Also if you want to preserve the value of the Authorization header to use later, you can set a variable. Something like: 

<AssignMessage  name="Assign-Message-1">
  <AssignVariable>
    <Name>private.my_preserved_authz_header</Name>
    <Ref>request.header.authorization</Ref>
    <Value>BADDBEEF</Value>
  </AssignVariable>

    <Remove>
        <Headers>
            <Header name="Authorization"/>
        </Headers>
    </Remove>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>
<br>

Then, later, if you want, you can restore the Authorization Header with a similar Assignmessage. And that latter AssignMessage might also wipe out the payload, if that's appropriate.

0 Likes