About OAuth2.0 Policy which is used to Generate Access Token using client credentials grant type

The scenario is as follows:

I have created a proxy[Assume this as Proxy1]with No Target for the purpose of access_token generation using OAuth2.0 policy with client_credentials grant type. Below is the policy configuration

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OA-GenerateAccessToken">
    <DisplayName>OA-GenerateAccessToken</DisplayName>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>false</ExternalAuthorization>
    <Operation>GenerateAccessToken</Operation>
    <ExpiresIn>1800000</ExpiresIn>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GenerateResponse enabled="true"/>
    <Tokens/>
</OAuthV2> 

Then, I created API Product[Assume this as Product1]which includes only the above API proxy (Generating access_token).

After that, I registered an App [Assume this as App1] by associating the Product1 for access_token generation and other API Products which contains actual APIs with target endpoints. Likewise, I registered various Apps in Apigee Edge along with the Product1 and mix and match various API Products.

My question is, when use any of the Apps key & secret it provides me a access_token back(this may be normal because all App having the Product1 with in it).

Then, I create another API proxy with different base path [Assume this as Proxy2] for the same purpose (generate access_token using OAuth2.0 policy with client_credentials grant type) and created a API product [Assume this as Product2] which includes only new API proxy (Generating access_token).

After that, register this as an App[Assume this as App2] by associating the Product2 for access_token generation and other API Products which contains actual APIs with target endpoints.

The issue I see here is, when I make a request with App1's(which includes Product1 - contains Proxy1) key & secret to Proxy2 . I am bale to get access_token.

Why this happens? and what is going on here.

@Anil Sagar @ Google : Could you please explain me, thanks in advance for your time.

Regards,

Meenakshi Sundar @ Valeo.

Solved Solved
1 6 332
1 ACCEPTED SOLUTION

You're operating under an incorrect assumption.

You're thinking that the OAuthV2/GenerateAccessToken policy will generate a token for the product (or a product?) that contains the proxy in which the GenerateAccessToken policy runs. That's not correct.

The OAuthV2/GenerateAccessToken policy will generate a token that is good for the app, for which credentials have been presented. If the creds match App1, then the generated token will be good for all the products configured for App1 (or more accurately, all the products configured for the specific credentials that were presented).

This means the OAuthV2/GenerateAccessToken policy can be contained in any proxy, and that proxy need not be included in any Product. A single token-dispensing proxy can be usable for all products, and all apps.

View solution in original post

6 REPLIES 6

You're operating under an incorrect assumption.

You're thinking that the OAuthV2/GenerateAccessToken policy will generate a token for the product (or a product?) that contains the proxy in which the GenerateAccessToken policy runs. That's not correct.

The OAuthV2/GenerateAccessToken policy will generate a token that is good for the app, for which credentials have been presented. If the creds match App1, then the generated token will be good for all the products configured for App1 (or more accurately, all the products configured for the specific credentials that were presented).

This means the OAuthV2/GenerateAccessToken policy can be contained in any proxy, and that proxy need not be included in any Product. A single token-dispensing proxy can be usable for all products, and all apps.

@Dino-at-Google Thanks a lot for your answer.

Could you please also check and say below diagram reflects my understanding of your answer. So, that I can proceed further with this design in production.

Also it will be very helpful and appreciated, if there is a way to control who can(client web apps) access the Apigee proxy other than filtering based on client App's IP Address.

9278-apigee-app-key-secret-understanding.jpg

Thanks in advance.

Yes, this diagram is correct!

Please do test and verify in your environment.

Keep in mind that client_credentials grant can be

  • enhanced with PKCE (search here on community for more information)
  • replaced or supplanted by a grant type of urn:ietf:params:oauth:grant-type:jwt-bearer, per RFC7523. See here for more information.

Hi @Dino-at-Google

Thank you very much for all your inputs on this subject, its very helpful.

  

Glad to help!

Hi @Dino-at-Google

Could you please have look on my previous comment and provide your feedback & guidance.

Thanks in advance for your time and help.