Oauth Generate Access Token Fails- Regeneration of same token

meenap3
Participant I

Extracting SessionID from Backend and regenerating same in oauth but

Oauth Generate Access Token is failing with

{"ErrorCode" : "invalid_client", "Error" :"Client identifier is required"}. Can you please quick help on this.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="OAuth_GenerateToken">
 <DisplayName>OAuth_GenerateToken</DisplayName>
 <Attributes/>
 <ExternalAccessToken>SessionID</ExternalAccessToken>
 <ExternalAuthorization>true</ExternalAuthorization>
 <Operation>GenerateAccessToken</Operation>
 <GenerateResponse enabled="true"/>
 <StoreToken>true</StoreToken>
 <SupportedGrantTypes>
 <GrantType>client_credentials</GrantType>
 </SupportedGrantTypes>
 <!--GrantType>message.header.grant_type</GrantType>
 <ClientId>message.header.Authorization</ClientId>
 <Authorization>message.header.Authorization</Authorization-->
 <Tokens/>
</OAuthV2>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Assign_ExternalAccessTokenStatus">
<DisplayName>Assign_ExternalAccessTokenStatus</DisplayName>
<Properties/>
<!--Set>
<Headers>
<Header name="grant_type">client_credentials</Header>
<Header name="client_id">xxxx</Header>
<Header name="Authorization">Basic xxxx</Header>
</Headers>
</Set-->
<AssignVariable>
<Name>oauth_external_authorization_status</Name>
<Value>true</Value>
</AssignVariable>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<!--AssignTo createNew="false" transport="http" type="response"/-->
</AssignMessage>
0 3 142
3 REPLIES 3

Could you please provide more info, I am not sure what value SessionID flow var is getting? Also please put debugger on oauth policy <GenerateErrorResponseenabled='true'/> Is it failing the client id of APIGEE or third party oauth?

This works for me .

policy:

<OAuthV2  name="OAuthV2-GenerateAccessToken">
    <Operation>GenerateAccessToken</Operation>
    <!--
    ExpiresIn, in milliseconds. The ref is optional. The explicitly specified
    value is the default, when the variable reference cannot be resolved.
    600000 = 10 minutes
    -->
    <ExpiresIn ref="flow.variable">600000</ExpiresIn>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GenerateResponse enabled="true"/>
</OAuthV2>

Request:

curl -i https://$ORG-$ENV.apigee.net/sample-1/token \
  -u ${client_id}:${client_secret} \
  -d 'grant_type=client_credentials'

Please find attached the working sample API proxy that dispenses tokens according to the client_credentials grant type.

sample-1-rev2-2019-07-23.zip

To get this to work you need to:

  • deploy the api proxy
  • create a developer
  • create a product
  • create an app for the developer authorized on the product
  • use the generated credentials (id and secret) from that app in the -u argument in the curl command

If you want to import an externally-generated token value (eg what you have stored in SessionID), then you need a different policy and a different request.

policy:

<OAuthV2 name="OAuthV2-GenerateAccessToken-External">
    <Operation>GenerateAccessToken</Operation>
    <ExternalAccessToken>contrived_token</ExternalAccessToken>
    <ExternalAuthorization>true</ExternalAuthorization>
    <ExpiresIn ref="flow.variable">600000</ExpiresIn>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GenerateResponse enabled="true"/>
</OAuthV2>

The policy looks for the client_id in a form param, so your request needs to be something like this:

curl -i https://$ORG-$ENV.apigee.net/sample-1/external-token \
  -d "grant_type=client_credentials&client_id=${client_id}"

Or, you could use the ClientId element to specify the context variable that holds the client id.

@Meena T P

You are seeing this error since you are trying to cache the token within Apigee. You need to provide the clientId. If not explicitly provided in the OauthV2 policyt, it is by default read from the form param

Default:request.formparam.client_id (a x-www-form-urlencoded and specified in the request body)

Please check the following docs -

https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy

https://docs.apigee.com/api-platform/security/oauth/use-third-party-oauth-system