This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Missing Authorization header in OAuth access token request

Posted on 08-07-2018 07:15 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi - I have an proxy flow set up for OAuth authentication where Apigee is proxying for our internal identity store. The authorization code flow is working fine and the client, which is a confidential client, is successfully getting a valid authorization code. Since this is a confidential client, when attempting to exchange the auth code for an access token, the client provides an HTTP Authorization header containing it's Apigee client ID & secret which I expect Apigee to use to verify the client before sending the auth code downstream to our internal identity store. However Apigee is not finding the Authorization header in the proxy request object and thus everything is dying at that point.

I have an active trace on the wire going out from the client and can see the "Authorization Basic <blah>" header going down the wire. I've double and triple checked that the header itself is valid - if, for example, I fire the request at a different, non Apigee application that expecting basic auth, the app finds and decodes the header just fine (and of course it rejects it since the auth code Apigee credentials, not valid credentials for the app ... but that's irrelevant to the the point of the test). I've placed a javascript dump immediately after the proxy request arrives on Apigee and printed the value of context.proxyRequest.headers. The resulting array of header values contains this entry:

Authorization=org.mozilla.javascript.Undefined@0.

Which, I guess, means Apigee tried to find the auth header but couldn't? Or found it but couldn't decode it for some reason? Even tho I know it's being sent and is in fact valid? Can anyone give me some guidance in figuring out what's going on here?

0 1 6,291
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Whew! This is quite old. Sorry about the slience on our end.

If this is still a problem, please reply here.

It sounds like there is a misunderstanding for what Apigee Edge is expected to be doing.

There's an HTTP Authorization header.... if your JS is printing "undefined" then... probably that header is undefined. There's no sneaky reason for this to be occurring, other than... the header is really not defined in the message.

Either you are referencing it incorrectly, or something has unset a value that was previously set, or the value was never set in the first place. ps: Apigee Edge doesn't silently unset header values. It can "unset" header values, but does so through an explicit configuration that tells it to do so.

In my own experience, when I see odd behavior like what you are describing... for example when I'm certain that the inbound request carries a header, but that header is either not set in the Apigee Proxy, or it is set to something I don't expect.... then ..... I check my assumptions. One of the things that has tripped me up is a mis-spelling of the header. I Can use curl with -H "Authorzation: Basic XXXX" . and It LOOKS LIKE it's correct, but it's really not. So please do double check that.

If you want a separate pair of eyes you can post your JS code here, and also post the code that shows how you send the request from the confidential client.

0 Likes