Can't authenticate API in developer's portal

Hi All,

I'm trying to publish an API to the developer's portal, however, I'm not able authenticate.

My API uses oauth2. In my spec, I have the following security setting:

security: 
  - bearerAuth: []  

...

securitySchemes:
    bearerAuth:
      type: oauth2
      flows:
        clientCredentials:
          tokenUrl: https://tui-prod-prod.apigee.net/oauth/client_credential/accesstoken?grant_type=client_credentials
          scopes: {} 

I've created an app but, when I try to authenticate through the portal, I get an "Authorization failed" message.

9417-anotacao-2019-11-12-103751.png

The URL I'm using in tokenURL is the same I use to authenticate via Postman, and I'm able to retrieve access_token that way. It's only in the portal that it doesn't work. I've tried the URL both with '?grant_type=client_credentials' suffix and without.

Any suggestions on what I'm doing wrong or how to debug this?

Thanks.

Pedro

0 4 377
4 REPLIES 4

Can you open your browser's developer tools and see if there is any more info in the console log?

Hi Chris,

I enabled wire logging and could see that the problem was with CORS. I enabled CORS in my proxy as explained here, adding the OptionsPreflight flow and the NoRoute RouteRule, and now I can authenticate with the API. However, when I then try to access the API ('execute' button) I get a 401 Unauthorized response.

From the logs I can see that the Portal tries to send a OPTIONS request to the API, so I imagine this has to do with the CORS preflight, but it doesn't include the access token that has just been generated, so it fails the OAuth2 verification policy in the proxy. Any recommendation on what to do here?

Thanks.

dgaju
Participant I

@pedro ivo dantas , @chris novak :

I'm also facing same issue. if you guys found solution, please help me here .

Thanks

Dhanunjaya

I think you are running into the dreaded OAuthV2 non RFC compliant issue, check out this link: https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy#non-rfc-compliant-behavior