OAuthV2 GenerateAuthorizationCode does not expire in the specified time

masood
Participant I

I am able to generate Auth Code, but the problem is it does not expire in the specified time, which is mentioned in <ExpiresIn> tag.


Here is my OAuthV2 policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="true" enabled="true" name="Generate-Authorization-Code">
    <DisplayName>Generate Authorization Code</DisplayName>
    <Operation>GenerateAuthorizationCode</Operation>
    <ClientId>clientId</ClientId>
    <RedirectUri>redirectUrl</RedirectUri>
    <ResponseType>code</ResponseType>
    <Scope>scope</Scope>
    <!--<GenerateResponse enabled="true"/>-->
    <ExpiresIn>10000</ExpiresIn>
</OAuthV2><br>
I expect the code generated to expire in 10 secs, but it does not. I have checked even after 10 mins, however, it was still not expired.

And here is how I was trying to access auth code info:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GetOAuthV2Info async="false" continueOnError="false" enabled="true" name="Get-Auth-Code-Info">
    <DisplayName>Get Auth Code Info</DisplayName>
    <AuthorizationCode ref="authCode"/>
</GetOAuthV2Info>

I have even checked the failed flag, which was sent to false.

Any help would be appreciated.

Solved Solved
1 6 239
1 ACCEPTED SOLUTION

Hmm, I just tested this and here's what I found:

GenerateAccessToken is working for me as expected. If I set expiry on the code, then the generated code expires as expected, and OAuthV2/GenerateAccessToken using that code will fail appropriately.

I cannot imagine what might be happening with your organization / environment. If you have an Apigee support contract then I suggest you contact Apigee support to request diagnosis on this.

It could be that you are expecting GetOAuthV2Info to fail when inquiring an expired code. And that may not be a documented behavior.

The "expiry" of the code means it will not be redeemable for a token. After the expiry, The code might still be in the keystore, and queryable with GetOAuthV2Info,even though it would not be usable for obtaining a token via OAuthV2/GenerateAccessToken.

View solution in original post

6 REPLIES 6

I am also facing a similar issue can someone help me out please

masood
Participant I

Let let look into it.

Hmm, I just tested this and here's what I found:

GenerateAccessToken is working for me as expected. If I set expiry on the code, then the generated code expires as expected, and OAuthV2/GenerateAccessToken using that code will fail appropriately.

I cannot imagine what might be happening with your organization / environment. If you have an Apigee support contract then I suggest you contact Apigee support to request diagnosis on this.

It could be that you are expecting GetOAuthV2Info to fail when inquiring an expired code. And that may not be a documented behavior.

The "expiry" of the code means it will not be redeemable for a token. After the expiry, The code might still be in the keystore, and queryable with GetOAuthV2Info,even though it would not be usable for obtaining a token via OAuthV2/GenerateAccessToken.

Thanks @Dino-at-Google, thanks for your time!

By the way, the operation is GenerateAuthorizationCode and not token. And how do you check for AuthCode expiry? @Dino-at-Google

I don't "check" for expiry. Instead I use GenerateAccessToken with the code. If the code is expired, then the OAuthV2/GenerateAccessToken will throw a fault and the client gets a fault message like "invalid authorization code". If the code is not expired then the OAuthV2/GenerateAccessToken will succeed and the client will receive a token.

In this way, the expiry is checked _implicitly_.