Solved: Trouble with VerifyAccessToken and GetOAuthV2Info ...

Report Inappropriate Content · 03-22-2018 07:43 PM

hi there,

i created a new API proxy (*attached below*) which works great when invoking the endpoint to authenticate a user, but the endpoints to validate a token and get the token info do not.

Here's what i did.

-- The command below gets me a new token

Invoke-WebRequest -Uri https://jolinger-eval-prod.apigee.net/m2/Authenticate/getaccesstoken?grant_type=client_credentials -Body "client_id=removed&client_secret=removed" -method Post

-- Then, i use the bearer access token created to call the next command, but i always get a 404.

$Headers = @{}

$Headers["Authorization"] = "Bearer tokenvalue"

$result = Invoke-WebRequest -Uri https://jolinger-eval-prod.apigee.net/m2/Validate/validatetoken -method Post -Headers $Headers

Invoke-WebRequest : 404. That’s an error. The requested URL /validatetoken was not found on this server. That’s all we know.

I get the same failure from the API console in the Apigee website as well. I read through all the docs and troubleshooting, and nothing worked for me. any ideas to debug this?

GetOAuthV2Info also fails in the same way.

A few notes:

* All endpoints are part of the same proxy, app, product

* I even tried a few times to put all the flows under the same proxy endpoint. same issue.

* I am using an account (client id and secret) that is mapped to the product/app combination above

* if i enter the wrong access token, the error changes immediately to {"fault":{"faultstring":"Invalid Access Token","detail":{"errorcode":"keymanagement.service.invalid_access_token"}}}

My proxy definition: apiproxy.zip

ssvaidyanathan · 6641-oauth-rev2-2018-03-23.zip

HI @Jazmine Olinger

I imported your bundle and it works as expected. The only issue is that in your proxy you have a target endpoint and while validating your token, Apigee completes the validation and is sending the request to the target which in your case is google.com

Just remove the Target endpoint and try, it will work as expected

Modify

<RouteRule name="Validate">
        <TargetEndpoint>default</TargetEndpoint>
    </RouteRule>

to

<RouteRule name="Validate"/>

That should do the trick

NOTE: I see you have used 3 different proxy endpoints, you dont need to do that, you can have all in one, something like this

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxyEndpoint name="Access">
    <Description/>
    <FaultRules/>
    <Flows>
        <Flow name="GetTokenDetails">
            <Description/>
            <Request>
                <Step>
                    <FaultRules/>
                    <Name>Get-OAuth-v20-Info-1</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/Access/gettokendetails") and (request.verb = "GET")</Condition>
        </Flow>
        <Flow name="GenerateAccessToken">
            <Description>GenerateAccessToken</Description>
            <Request>
                <Step>
                    <FaultRules/>
                    <Name>GenerateAccessToken</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/Authenticate/getaccesstoken") and (request.verb = "POST")</Condition>
        </Flow>
        <Flow name="VerifyAccessToken">
            <Description>VerifyAccessToken</Description>
            <Request>
                <Step>
                    <FaultRules/>
                    <Name>VerifyAccessToken</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/Validate/validatetoken") and (request.verb = "POST")</Condition>
        </Flow>
    </Flows>
    <HTTPProxyConnection>
        <BasePath>/m2</BasePath>
        <Properties/>
        <VirtualHost>secure</VirtualHost>
    </HTTPProxyConnection>
    <RouteRule name="noRoute"/>
</ProxyEndpoint>

I have included the updated proxy, check it out

6641-oauth-rev2-2018-03-23.zip

View solution in original post

Report Inappropriate Content

thank you Sai for your answer. this is very helpful.

We ended up figuring out how to do this and wrote a useful post at https://github.com/apprenda/apprenda-apigee-integration/blob/master/docs/auth-proxy.md

Essentially it came down to two things

* Needed to create a preflow using the validate access token

* Needed to create a flow with an http response and an AssignMessage policy to return back the email address corresponding to the token.

good luck to future folks that hit this issue.

View solution in original post

Report Inappropriate Content

I added the details outlined in https://docs.apigee.com/api-platform/reference/policies/get-oauth-v2-info-policy to also try to support GetOAuthV2Info in a different way.

my policy looks like this

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GetOAuthV2Info name="GetTokenAttributes" continueOnError="false" enabled="true">
    <AccessToken ref="request.queryparam.access_token"/>
</GetOAuthV2Info>

and my flow definition is

<Flow name="getattributes">
            <Description/>
            <Request>
                <Step>
                    <FaultRules/>
                    <Name>GetTokenAttributes</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/getattributes") and (request.verb = "POST")</Condition>
        </Flow>

But when i invoke the call as

https://jolinger-eval-prod.apigee.net/m2/Authenticate/getattributes?access_token=<token>;

It still fails with the error below.

 
{"fault":{"faultstring":"Invalid API call as no apiproduct match found","detail":{"errorcode":"keymanagement.service.InvalidAPICallAsNoApiProductMatchFound"}}}

Some interesting notes that tell me that my proxy is defined with something wrong. If i omit the access_token querystring it fails with error (Failed to resolve access token variable request). If i give it the wrong access token, it fails with error "Invalid Access Token" I have no idea what to try next.

Report Inappropriate Content

i also followed the steps under https://community.apigee.com/articles/6831/oauth20-access-token-verification-throws-invalid-a.html with no help.

ssvaidyanathan · 6641-oauth-rev2-2018-03-23.zip