Flow Variable received not updated.

I have the ff. Policy to refresh my Access Token

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OA-RefreshAccessToken">
    <DisplayName>OA-RefreshAccessToken</DisplayName>
    <ExternalAuthorization>false</ExternalAuthorization>
    <Operation>RefreshAccessToken</Operation>
    <!--15 minutes-->
    <ExpiresIn>900000</ExpiresIn>
    <RefreshToken>ExtractedRefreshToken</RefreshToken>
    <GrantType>ExtractedGrantType</GrantType>
    <ReuseRefreshToken>true</ReuseRefreshToken>
</OAuthV2>

And trying to get and use the Access Token generated from that policy by using the flow variable

oauthv2accesstoken.OA-RefreshAccessToken.access_token


But it is giving me an old Access Token instead of the newly created Access Token. I had to call another Policy GetOAuthInfo just to get the updated Access Token. Is this an expected behavior?

0 3 101
3 REPLIES 3

No, that is not expected behavior.

I just tried this in my org, and my results are different. After the OAuthV2/RefreshAccessToken policy executes, the variable oauthv2accesstoken.POLICYNAME.access_token contains the new access token.

What grant type did you use originally?

Even if you are seeing strange results, It seems like you have a workaround.

If you want me to look into it further, provide a proxy with a simple way to reproduce the problem, and I'll do so. "simple" means:

  • deploy the proxy that handles a POST /token
  • get a client id and client secret
  • POST /token with grant_type=password (or whatever you used); get the access token and refresh token
  • POST /token with grant_type=refresh_token
  • see the results you reported

To "see the results" I suggest appending an AssignMessage policy directly after the OAuthV2/RefreshAccessToken policy, that simply assigns from one set of variables to another. That will emit the variables into trace context and they'll be visible in the Trace UI. The assignmessage policy might look like this:

<AssignMessage name='AM-Inspect'>


    <AssignVariable>
        <Ref>oauthv2accesstoken.POLICYNAME.access_token</Ref>
        <Name>foo</Name>
    </AssignVariable>
    <AssignVariable>
        <Ref>oauthv2accesstoken.POLICYNAME.token_type</Ref>
        <Name>foo</Name>
    </AssignVariable>
    <AssignVariable>
        <Ref>oauthv2accesstoken.POLICYNAME.expires_in</Ref>
        <Name>foo</Name>
    </AssignVariable>
    <AssignVariable>
        <Ref>oauthv2accesstoken.POLICYNAME.refresh_token</Ref>
        <Name>foo</Name>
    </AssignVariable>
    <AssignVariable>
        <Ref>oauthv2accesstoken.POLICYNAME.refresh_token_expires_in</Ref>
        <Name>foo</Name>
    </AssignVariable>
    <AssignVariable>
        <Ref>oauthv2accesstoken.POLICYNAME.refresh_token_issued_at</Ref>
        <Name>foo</Name>
    </AssignVariable>

  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</AssignMessage>

This is the 2nd time for me that a certain variable is not being populated as I expect it to be in Apigee. The first one being in this question.

https://community.apigee.com/questions/76184/refresh-token-expires-in-doesnt-populate.html


BTW. I'm using Authorization grant type to generate a token and for this issue, I use the Operation RefreshAccessToken to generate a new refresh token and access token.

Also, I already know that .the value being thrown by the flow variable oauthv2accesstoken.OA-RefreshAccessToken.access_token is old, it's because I have a proxy endpoint that shows me the current access token asssociated with the refresh token. Upon using that refresh token in the OAuth Policy to generate the new Refresh and Access Token, the said flow variable is showing the old access token instead of the new access token. It's kinda annoying that I had to use two other policies just to get the latest access token. Might be a bug in Apigee?. Or am I using a wrong flow variable and the documentation just doesn't reflect it?.

I'm sorry you're having difficulty.

It could be that you're doing things a little differently than we expect.

By the looks of your policy config - you have reference to ExtractedToken and ExtractedGrantType ... maybe you're doing it incorrectly.

Here is a working example of a Password grant token dispenser, which supports refresh tokens.

https://github.com/DinoChiesa/devjam3-20170405/tree/master/Resources/oauth2-pg

Maybe you can examine that and see what's different about your work, which may lead to the difference in behavior you noted.

My policy there looks like this:

<OAuthV2 name='OAuthV2-RefreshAccessToken'>
  <Operation>RefreshAccessToken</Operation>
  <ExpiresIn ref='flow.variable'>1800000</ExpiresIn>
  <RefreshTokenExpiresIn>28800000</RefreshTokenExpiresIn>
  <GrantType>request.formparam.grant_type</GrantType>
  <GenerateResponse enabled='true'/> <!-- make this false to get variables -->
</OAuthV2>

Good luck!