Acting as Openid connect provider with Apigee Edge

natuneeraj
Participant I

I wanted to build an Oauth 2.0 Flow that uses client credentials grant type.

Now my Integrated Developer Portal allows users to register sign up and buy the api products as they please upon which they get the client credentials. I have a proxy say security proxy that is exposed for them to generate access token by giving client key to be validated, It has been quite straight forward to generate an Oauth 2.0 access token using the Oauth 2.0 policy but now I am interested in generating a JWT token which has the mentions of what api products the customer has bought in claims.

Can anyone suggest a solution to build this?

@Dino-at-Google @Dino @Anil Sagar @ Google

Solved Solved
0 2 653
1 ACCEPTED SOLUTION

I am interested in generating a JWT token which has the mentions of what api products the customer has bought in claims.

The GenerateJWT policy can do this. Check the documentation.

If you like, you can use the OAuth 2.0 policy with Operation=GenerateAccessToken and GenerateResponse = false (important!) and then follow that with a GenerateJWT policy, and an AssignMessage which inserts the generated JWT into the response content.

Setting the enabled attribute on the GenerateResponse element to false tells the OAuth2.0 policy to NOT generate response content. Instead the policy will set context variables. Then you can reference those context variables in the GenerateJWT policy to specify the claims.

example

https://github.com/DinoChiesa/devjam3-20170405/blob/master/Resources/oauth2-oidc/apiproxy/policies/G...

After GenerateAccesstoken , the list of API products will be in a context variable called... ??

oauthv2accesstoken.POLICYNAME.api_product_list_json

...and you need to reference THAT variable in the Claim element of the subsequent GenerateJWT. You may also want to embed the access_token into a claim in the GenerateJWT, as well as other claims.

View solution in original post

2 REPLIES 2

I am interested in generating a JWT token which has the mentions of what api products the customer has bought in claims.

The GenerateJWT policy can do this. Check the documentation.

If you like, you can use the OAuth 2.0 policy with Operation=GenerateAccessToken and GenerateResponse = false (important!) and then follow that with a GenerateJWT policy, and an AssignMessage which inserts the generated JWT into the response content.

Setting the enabled attribute on the GenerateResponse element to false tells the OAuth2.0 policy to NOT generate response content. Instead the policy will set context variables. Then you can reference those context variables in the GenerateJWT policy to specify the claims.

example

https://github.com/DinoChiesa/devjam3-20170405/blob/master/Resources/oauth2-oidc/apiproxy/policies/G...

After GenerateAccesstoken , the list of API products will be in a context variable called... ??

oauthv2accesstoken.POLICYNAME.api_product_list_json

...and you need to reference THAT variable in the Claim element of the subsequent GenerateJWT. You may also want to embed the access_token into a claim in the GenerateJWT, as well as other claims.

Thanks Dino! I tried the suggestion and it works exactly as I wanted.

Thanks for the quick help.