This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

OAuth2.0 Authorization Flow without Client Secret

Posted on 04-04-2018 03:30 PM
pradeepshanmugh
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi,

My use case is supporting Native Apps to talk to oAuth endpoints.

My research indicates that in such cases the recommended approach is not to use the client secret in a Basic Authorization Header when talking to the /token endpoint.

Instead to use a onetime code verifier and code challenge - known as the PKCE extension - through the flow.

My experience with Apigee is that the oAuthV2 policy does not work if there is no Basic Authorization header that has the base64(client_id:client_secret) when performing the GenerateToken / RefreshToken operations.

Can this restriction be turned off somehow?

0 4 1,611
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

No, currently you cannot "turn off" that restriction.

However you can "work around" that restriction by:

  1. using an AccessEntity policy with the client_id supplied
  2. using ExtractVariables to extract the client secret corresponding to that client_id
  3. Using a BasicAuthentication policy to encode the appropriate Authorization header.
  4. And THEN using the OAuthV2/GenerateAccessToken policy

Makes sense?

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

Hi Dino, we are also interested in this workaround but struggling with the following:

We have successfully accessed the Developers Profile while using the Access Entity of this example. But in the returned data we do not find the consumer secret or a way to obtain it.

In the trace I can see we have access to variables of:

- AccessEntity.ChildNodes.GetDeveloperProfile.Developer 
- AccessEntity.ChildNodes.GetDeveloperProfile.Developer.Apps 
- AccessEntity.GetDeveloperProfile

But I cannot not find a corresponding client secret.

Is there something vital we're missing?

Edit: I might have found the answer to this. I can at least see the consumer secret in the trace when instead of using 'developer', I user 'app'. Within:

AccessEntity.ChildNodes.GetDeveloperProfile.App.Credentials
0 Likes

Posted on --/--/---- --:-- AM
sidd-harth
Bronze 1
Bronze 1
In response to
Reply posted on --/--/---- --:-- AM

Hi @KvR, create a new question for your queries.

BTW use below config to get the cilent secret,

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AccessEntity async="false" continueOnError="false" enabled="true" name="Access-Entity-1">
    <DisplayName>Access Entity-1</DisplayName>
    <Properties/>
    <EntityIdentifier ref="request.queryparam.apikey" type="consumerkey"/>
    <EntityType value="app"/>
</AccessEntity>
AccessEntity.ChildNodes.Access-Entity-1.App.Credentials.Credential.ConsumerSecret

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to
Reply posted on --/--/---- --:-- AM

Yes, KvR, the consumer secret is not part of the Developer or Developer profile.

The consumer secret is part of the app, specifically part of the credential associated to the app.

Follow the example offered by Siddharth to get the consumer secret, via accessentity.