This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Error with client_id and client_secret BasicAuthentication with OAuthV2 GenerateAccessToken

Posted on 04-02-2019 02:41 PM
chishiuanlu-1
New Member
Reply posted on --/--/---- --:-- AM

Hi,

I am sorry if this has been brought up somewhere but I couldn't find an answer for this.

We are trying to create a policy to do OAuth 2 password grant and generate access token.

Our organization has shared flows to basic authenticate and verify ApiKey in the preflow.

Similar to what shows in this thread: https://community.apigee.com/answers/34608/view.html

The proxy I created works fine if the BasicAuthentication policy is not added and I added client_id and client_secret within the request form.

But as long as the BA policy is added, the OAuthV2 policy responses error message:

{ "fault": { "faultstring": "Invalid client identifier {0}", "detail": { "errorcode": "oauth.v2.InvalidClientIdentifier" } } }

Any help to resolve this would be really appreciated.

Solved Solved
0 5 573
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
nagashree_b
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

@CHI SHIUAN LU

Apigee by default expects the client id to be a form param

<ClientId> element

Default:request.formparam.client_id (a x-www-form-urlencoded and specified in the request body)
Presence:Optional
Type:String
Valid values:Any flow variable accessible to the policy at runtime
Used with grant types:
  • authorization_code
  • password
  • implicit
  • client_credentials
Can also be used with the GenerateAuthorizationCode operation.

If you need Apigee to look elsewhere you need to explicitly define it using the ClientId element in the GenerateAccessToken policy.

<ClientId>request.queryparam.client_id</ClientId>

Alternately, you can define an assign message policy after the Basic Authentication and before the GenerateAccessToken, to populate the form params

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="AV-OAuthVariables">  
<DisplayName>AV-OAuthVariables</DisplayName>  
<FaultRules/>  <Properties/>
<AssignVariable>  <Name>request.formparam.client_id</Name>  <Value>BAADBEEF</Value>  <Ref>clientid</Ref><!--extracted from Decode Basic Auth policy -->  </AssignVariable>  
<AssignVariable>  <Name>request.formparam.grant_type</Name>  <Value>password</Value>  </AssignVariable>  
<AssignVariable>  <Name>request.formparam.username</Name>  <Ref>apigee.email</Ref> <!-- extracted from payload>  </AssignVariable>  
<AssignVariable>  <Name>request.formparam.password</Name>  <Ref>apigee.password</Ref><!-- extracted from payload -->  </AssignVariable>  
<Set>  <Headers>  <Header name="Content-Type">application/x-www-form-urlencoded</Header>  </Headers>  </Set>  
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>  
<AssignTo type="request" transport="http" createNew="false"/>
</AssignMessage>

View solution in original post

Jump to Solution
5 REPLIES 5

Posted on --/--/---- --:-- AM
nagashree_b
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

@CHI SHIUAN LU

Apigee by default expects the client id to be a form param

<ClientId> element

Default:request.formparam.client_id (a x-www-form-urlencoded and specified in the request body)
Presence:Optional
Type:String
Valid values:Any flow variable accessible to the policy at runtime
Used with grant types:
  • authorization_code
  • password
  • implicit
  • client_credentials
Can also be used with the GenerateAuthorizationCode operation.

If you need Apigee to look elsewhere you need to explicitly define it using the ClientId element in the GenerateAccessToken policy.

<ClientId>request.queryparam.client_id</ClientId>

Alternately, you can define an assign message policy after the Basic Authentication and before the GenerateAccessToken, to populate the form params

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="AV-OAuthVariables">  
<DisplayName>AV-OAuthVariables</DisplayName>  
<FaultRules/>  <Properties/>
<AssignVariable>  <Name>request.formparam.client_id</Name>  <Value>BAADBEEF</Value>  <Ref>clientid</Ref><!--extracted from Decode Basic Auth policy -->  </AssignVariable>  
<AssignVariable>  <Name>request.formparam.grant_type</Name>  <Value>password</Value>  </AssignVariable>  
<AssignVariable>  <Name>request.formparam.username</Name>  <Ref>apigee.email</Ref> <!-- extracted from payload>  </AssignVariable>  
<AssignVariable>  <Name>request.formparam.password</Name>  <Ref>apigee.password</Ref><!-- extracted from payload -->  </AssignVariable>  
<Set>  <Headers>  <Header name="Content-Type">application/x-www-form-urlencoded</Header>  </Headers>  </Set>  
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>  
<AssignTo type="request" transport="http" createNew="false"/>
</AssignMessage>

Jump to Solution

Posted on --/--/---- --:-- AM
chishiuanlu-1
New Member
In response to nagashree_b
Reply posted on --/--/---- --:-- AM

@Nagashree B

Thank you much for the help.

The solutions you provided were correct, and I will mark your response as accepted answer. But I actually had them implemented when I posted the original question.

After this long discovery journey, I had this chance to move everything I had, same setup for all flows and policies from the cloud based Apigee to our on premises Apigee instance and tested it. And it just went through without any issue.

I wonder whether it's a cloud based Apigee issue or it's because we only have evaluation version of the cloud based Apigee login that blocks some of the features....

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
nagashree_b
Silver 5
Silver 5
In response to chishiuanlu-1
Reply posted on --/--/---- --:-- AM

@CHI SHIUAN LU - As far as I know, the OAuthV2 behavior is same in both cloud and on-prem versions. I have encountered this in both cloud(evaluation) and on-prem versions

Jump to Solution

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to chishiuanlu-1
Reply posted on --/--/---- --:-- AM

We expect no difference between cloud and on-prem. The different versions get updated on different cadences, so at any point the cloud release could be "ahead" of the OPDK release, in terms of features or bug fixes. But for this particular feature area, I don't believe there have been any changes at all. So it sounds like there was a misunderstanding somewhere along the way.

Jump to Solution

Posted on --/--/---- --:-- AM
chishiuanlu-1
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi @Nagashree B and @Dino-at-Google,

Thanks much for the responses.

Dino, due to this is more corp related project, if you wouldn't mind, I can send a PM and share a repo of what I have in Cloud version of Apigee for the proxy and maybe you can help to point out where I had things constructed wrong.

Thank you much.

Best,

Lu

Jump to Solution
0 Likes