Solved: Policies after Refresh Token Policy are not being ...

estebanlartigue · 10-19-2018 11:39 AM

Hi, I noticed 2 things in my refresh token policy

1. it doesn't accept variables in fields like

 <GrantType>{myJsVariable}</GrantType>

but it works with

<GrantType>request.queryparam.grant_type</GrantType>

2. i have "generate response true" when this generates the response. it doesn't execute next policies. it just skips the whole api with the generated response. is this intended ? (GenerateTokenPolicy lets you generate a response so i can massage it in a JS policy. but not refresh policy.

<GenerateResponse enabled="true"/>

Any thoughts here ?

if my thoughts are correct then this is an issue for me and it forces me to create an api wrapper for refresh-token so I can

1. pass queryparams

2. so I can grab the response in a caller api. so i can massage it.

Thanks

dchiesa1

I know this is a really old question, but what you describe surprises me, and so I thought I'd investigate.

For item #1: correct. Don't surround the variable name with curly braces.

For item #2:

What I found: it works for me. I have this flow:

    <Flow name="token">
      <!--
          The app uses this request to exchange the code for a token,
          or to refresh a token.


          Example:


          Authorization: Basic base64(client_id:client_secret)
          POST /devjam3/oauth2-ac/token
            grant_type=authorization_code
            &code=q2oI7b2d
            &redirect_uri=http://dinochiesa.github.io/openid-connect/callback-handler.html


          -or-


          Authorization: Basic base64(client_id:client_secret)
          POST /devjam3/oauth2-ac/token
            grant_type=refresh_token&refresh_token=sksious93e93


          -->
      <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "POST")</Condition>
      <Description/>
      <Request>
        <Step>
          <Name>RF-InvalidGrantType</Name>
          <Condition>NOT (request.formparam.grant_type = "authorization_code" OR request.formparam.grant_type = "refresh_token")</Condition>
        </Step>


      </Request>
      <Response>
        <Step>
          <Name>OAuthV2-GenerateAccessToken</Name>
          <Condition>request.formparam.grant_type = "authorization_code"</Condition>
        </Step>
        <Step>
          <Name>OAuthV2-RefreshAccessToken</Name>
          <Condition>request.formparam.grant_type = "refresh_token"</Condition>
        </Step>
        <Step>
          <Name>JS-GroomTokenResponse</Name>
        </Step>
      </Response>
    </Flow>

And what I found is that the JS-GroomTokenResponse policy executes. Any other policy will execute, also.

The OAuthV2-RefreshAccessToken policy looks like this:

<OAuthV2 enabled='true' name='OAuthV2-RefreshAccessToken'>
  <Operation>RefreshAccessToken</Operation>
  <ExpiresIn>3600000</ExpiresIn>
  <RefreshTokenExpiresIn>86400000</RefreshTokenExpiresIn>
  <ExternalAuthorization>false</ExternalAuthorization>
  <!-- grant_type must be "refresh_token" -->
  <GrantType>request.formparam.grant_type</GrantType>
  <RefreshToken>request.formparam.refresh_token</RefreshToken>
  <SupportedGrantTypes/>
  <GenerateResponse/>
</OAuthV2>

It just works. You can see a full working example here.

I think you must have something exceptional. Maybe your RefreshAccessToken policy is not attached in the response flow?

View solution in original post

dchiesa1