How do I restrict creation of Tokens if scope is null or no value?

I have the ff. conditions that filters what API could be used on the same token endpoint...

	 <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "POST") 	    and 
            (request.queryparam.response_type NotEquals "token") and 
            NOT(request.queryparam.scope = null) OR 
            (request.queryparam.scope =  "")</Condition>
	

If I have the ff. request URL
> URL 1
.....apigee.net/token?grant_type=client_credentials
Apigee doesn't create a token, rather shows clientID and secret Only(odd, why is this shown though?)

8752-screenshot-51.png

> URL 2

.....apigee.net/token?grant_type=client_credentials≻scope=

Apigee create a token with all the scopes in the app (default behavior of apigee)

What I want to happen is for apigee to check if the scope is absent in the parameters or if the value of the scope is indicated in the param but null or just a bunch of spaces, it will not create a token since if it detected a null value , it automatically creates a token with all the scopes in the app. I dont want that to happen. How do I do that in apigee though?.

Solved Solved
0 5 264
1 ACCEPTED SOLUTION

Oh, found it. So I tried every possible conditions to catch my issue not being able to catch the scope with syntax scope= . So I just added the ff. code in the condition of my policy for it to be catched and filtered and not issue a token. Idk what particular condition catched it, but this worked for me without using any Javascript Policy

<Condition>
     (request.queryparam.scope = null) 
     or  (request.queryparam.scope = ' ') 
     or (request.queryparam.scope = "") 
     or (request.queryparam.scope = '') 
     or (request.queryparam.scope = " ")
</Condition>

View solution in original post

5 REPLIES 5

sidd-harth
Participant V

Maybe simply raise a fault if scope is missing using Raise Fault.

<Request>
                <Step>
                    <Name>Raise-Fault-Missing-Scope</Name>
                    <Condition>request.queryparam.scope = null or request.queryparam.scope = ' '</Condition>
                </Step>
                <Step>
                    <Name>OAuth-v20-1</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "GET")</Condition>

Not sure why you are getting client credentials in response. Provide more info.

Not working.

When I still have the ff. URL
/token?grant_type=client_credentials & scope=

it still issues tokens and all of the scopes in the Token.


Adding the Raise Fault and condition however hide the client ID and secret on the output. So great.

Ok then use a Javascript policy to get the length of the scope,

 var scope = context.getVariable("request.queryparam.scope");
 var lenght = scope.length;
 print(lenght);
 context.setVariable("scopeLength", lenght)
<Flow name="TokenFLow">
   <Description/>
     <Request>
        <Step>
           <Name>JavaScript-1</Name>
        </Step>
        <Step>
           <Name>Raise-Fault-1</Name>
           <Condition>request.queryparam.scope = null or scopeLength = 0</Condition>
        </Step>
                <Step>
                    <Name>OAuth-v20-1</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "GET")</Condition>
        </Flow>

Use this RaiseFault to display the error,

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RaiseFault async="false" continueOnError="false" enabled="true" name="Raise-Fault-1">
    <DisplayName>Raise Fault-1</DisplayName>
    <Properties/>
    <FaultResponse>
        <Set>
            <Headers/>
            <Payload contentType="text/plain">Scope is Missing</Payload>
            <StatusCode>400</StatusCode>
            <ReasonPhrase>Bad Request</ReasonPhrase>
        </Set>
    </FaultResponse>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>

Sorry for the late reply. But the earlier snippet you sent already works, albeit much cleaner than what I did.

So when I have the following URLs

URL 1:

..../token?grant_type=client_credentials

No Token is issued = Working Great.

URL 2:

.../token?grant_type=client_credentials&scope

No Token is issued = Working Great.

URL 3:

But when I have this 3rd URL with equals [=] after scope, it then issues a token.
.../token?grant_type=client_credentials&scope=

I think the condition
request.queryparam.scope = ' ' is not catching it. And why is that?. What is the value being thrown into apigee by me having scope= in the parameter. Its neither null nor ' ' as its not working. What could it be then?.

PS. I was trying to do this on as much less Javascript as possible. Would it be possible to have this on a Regular Expression then for this to be catched and not issue a token?. Better yet in pure apigee config really. Thanks for the reply BTW.

Oh, found it. So I tried every possible conditions to catch my issue not being able to catch the scope with syntax scope= . So I just added the ff. code in the condition of my policy for it to be catched and filtered and not issue a token. Idk what particular condition catched it, but this worked for me without using any Javascript Policy

<Condition>
     (request.queryparam.scope = null) 
     or  (request.queryparam.scope = ' ') 
     or (request.queryparam.scope = "") 
     or (request.queryparam.scope = '') 
     or (request.queryparam.scope = " ")
</Condition>