Storing External OAuth2 Tokens and Codes causing I...

Report Inappropriate Content · 03-26-2018 04:49 PM

Hi

We are using APIGEE to provide a set of API’s to external customers, then we make use of OAuth2 for our authorization and authentication.

We have a 2 layered approach where APIGEE apps are validated within APIGEE and use a Windows OpenAuth Token, which we generate, to use our backend systems. This is the old way and something we are moving away from and is only here for some context.

We are moving to Identity Server, as our Single Source of truth for Authentication and Authorization for all our applications and require the Identity Server to be our single source of token generation.

To prove we can use Identity Server Behind APIGGE, we decided to build a POC for the Authorization code flow and implement flows for 3-legged OAuth.

One of our requirements we had was to keep any APIGEE Client Applications out of Identity Server and only to use it as our User Authentication.

This POC has now been built where

1: APIGEE validates the Client Applications Client ID and Secrets.

2: The Client Id and Secret of the APIGEE Client Application is replaced with the Client Id and Secret of the APIGEE Identity Server Client Application and then proxies the Authorize request to the Identity Server

3: The User then logins in, is authorized by the Identity Server and accepts the Consent Page

4: An Access Code is sent back to APIGEE and then the APIGEE Client Application

5: The APIGEE Client Application then exchanges the code for an Authorization Token and Refresh Token, through a proxy

6: The Authorization Token is then used as a bearer token into our APIGEE published API’s and is then consumed as a Bearer Token by our backend systems.

What we would like to be able to do is, when we receive an Access Code or an Authorization Token is to store it in APIGEE and then have APIGEE validate them without having to go back to the Identity Server.

We have attempted to use the OAuthV2 Policy to store the codes but this has currently not worked for us and the reason appears to be related to the Client ID.

For instance, when Identity Server is doing the Callback leg to APIGEE, we would like to be able to store the Access Code. In the documentation it implies we can store the token and make use of AssignMessage to set “oauth_external_authorization_status” to TRUE to stop checking the client Credentials, however when we do “oauth_external_authorization_status” to true it is still checking the client credentials and reporting an invalid client.

Is there something we are missing or anything we should be doing different. If you need more information let me know and I will answer where I can.

ssvaidyanathan

HI @ScottRoberts

Welcome to the community !!! Please check this post which is similar to what you have described. The difference in that post is that it uses JWT. The post also includes a link to a GitHub repo that has an example of the proxy to store the external auth code and token. Please use that as a reference.

Report Inappropriate Content

Hi, thanks

Thank you for the link, interesting article, does appear to be pretty much the same as what we have but, we dont have our clients in Identity Server we only have a client for APIGEE Edge.

Will take on board what is in there and see if it helps. Will let you know, 🙂

sampadajoshi8

Though its been a while, can you please suggest the solution over here? I am developing the same poc and stuck at the same issue i.e. invalid client_id.

dchiesa1

did you check the referenced post, and the github repo? Does it satisfy?

Storing External OAuth2 Tokens and Codes causing Invalid Client Error