Apigee can't verify my external access_token

Not applicable

Hi,

I've a client that consumes an API with a STS between them for security.

Now I added apigee between the client and the API. The API proxy of my API doesn't have any polices added to its flow and it still works as intended.

I tried to add a security layer to apigee by adding "VerifyAccessToken" https://docs.apigee.com/api-platform/security/oauth/using-access-tokens .

The configuration of the policy looks like this:

	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyAccessToken">
    <DisplayName>VerifyAccessToken</DisplayName>
    <FaultRules/>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>true</ExternalAuthorization>
    <Operation>VerifyAccessToken</Operation>
    <SupportedGrantTypes/>
    <GenerateResponse enabled="true"/>
    <Tokens/>
</OAuthV2>

But when trying to query my API through the proxy I get this error now:

{
    "fault": {
        "faultstring": "Invalid Access Token",
        "detail": {
            "errorcode": "keymanagement.service.invalid_access_token"
        }
    }
}

What am I missing?

Solved Solved
0 4 894
1 ACCEPTED SOLUTION

sidd-harth
Participant V

Hi Ben, the VerifyAccessToken policy is specifically used for verifying Apigee minted access tokens.

External tokens can be verified in Apigee in 2 ways, please check below doc

https://docs.apigee.com/api-platform/security/oauth/use-third-party-oauth-system

View solution in original post

4 REPLIES 4

sidd-harth
Participant V

Hi Ben, the VerifyAccessToken policy is specifically used for verifying Apigee minted access tokens.

External tokens can be verified in Apigee in 2 ways, please check below doc

https://docs.apigee.com/api-platform/security/oauth/use-third-party-oauth-system

Hi, @Siddharth Barahalikar I've read that doc but I don't really understand what to do. Can you help me here? My given scenario is that a header with an Authorization Bearer Token is flowing through Apigee. In what degree can Apigee use this to secure the communication?

Scenario 1 -

When Apigee receives Authorization header with a token, you can make a call to external OAuth server from Apigee using a Service Callout policy. Here the token is validated by the external OAuth server, and based on this Service Callout Response we can either raise an error(if the token is invalid) or proceed to call the Backend Target(if the token is valid).

In this scenario, Apigee doesnt store tokens & relies on the external OAuth server to validate, refresh tokens. At the same time since the token uses external client_id & client_secret. You cannot use some Apigee features like Analytics.

Scenario 2 -

https://docs.apigee.com/api-platform/security/oauth/use-third-party-oauth-system

The above doc explains how to import externally generated access tokens, refresh tokens, or auth codes into the Apigee token store. Apigee will validate them as if they were generated by Apigee(which eliminates the need to call external oauth service to validate).

By doing this we can use other features like Analytics and refer/use token properties in Policies like Quota and others.

Thanks! Now I've a better understanding of it. You should edit your answer with your comment 🙂