Solved: Is the client secret accessible in the flow for o...

markruscitto · 10-09-2018 11:55 AM

Proxy endpoint is receiveing a token that is verified via oauthV2.OA-VerifyAccessToken policy. Which populates the client_id into the flow but not the client secret.

We have to make a subsequent call to another proxy (that uses basic auth) I was looking for a way to access the client secret to create the auth header for this call . For now I've placed it into the kvm, but wanted to know if there was a way to get it at run time from either the token or the client id.

isaias_arellano

Verify the client id with a verify api key policy and it will bring you the client secret.

View solution in original post

isaias_arellano

Verify the client id with a verify api key policy and it will bring you the client secret.

dchiesa1

Yes. This is the right way.

You may think:

well that means I call VerifyAccessToken then VerifyApiKey- won't it be slow?

Maybe, on the first call. On the first call the token and key are both unknown. a Token verification will load the cache for the token. A key verification will do the same for the key. Subsequent calls are fast (in memory).

So: don't worry about the performance at scale.

isaias_arellano

Nice explanation of the internals. Thanks @Dino-at-Google

markruscitto

Thanks Guys!

Is the client secret accessible in the flow for oauthv2 -verifyaccesstoken?