Need to develop oauth code flow.

bickychoudhary · 01-19-2020 11:24 PM

Need to develop oauth code flow. The implementation reference is not clear and S24-10 video is not available.

I can not find the next video after the explanation of 3 lagged OAuth code, for the implementation.

Reference Video link :

Can someone help with the implementation of 3lagged Oauth or provide any additional guideine on this.

Any help will be appreciated.

jaupadhyay

Hi @Bicky Choudhary

I would start with Apigee documentation page as reference,

https://docs.apigee.com/api-platform/security/oauth/access-tokens.html#requestinganaccesstokenauthor...

Let's try and break down this into two simple steps.Obtaining Access token using Authorization code can be broken down into two simple steps process

1 Generate authcode

2 Using authcode generated in step 1 obtain access token

so your proxy needs to expose two end points.

Use Security Policy OAuthV2 and for that policy use operation GenerateAuthorizationCode. Configure policy with correct information and provide required fields mainly State and Scope to make successful call which will generate Authcode. When you make a successful call to this end point it returns with code 302 and response header called location containing authcode. which looks like {yourCallbackURL}?code=A1BcDefhg&scope=???&state=????
Again Use Security Policy OAuthV2 this time use operation GenerateAccessToken. When you configure this step make sure you select GrantType as authorization_code. Also pass values for Code ( obtain form previous step ) and RedirectUri (This is Callback URL of app credentials you are using)

If this two policies configured correctly and pass required mandatory values you should be able to use Authorization code grant type.

Authorization code is considered as OAuth 2.0 most secure grant types.

Regards

Jayesh

bickychoudhary

Hi Jayesh,

Thanks for the quick response. Now I am able to generate OAuth code.

But still I am facing one issue. The redirect url which I have given is a login page of my application. It is suppose to login with userid and pwd and the it will redirect to a authorize page. once the consent has been authorize, then it is suppose to redirect with the OAuth code but currently, it is returning the oauth code with login page itself.

URL to generate OAuth Code -

http://bickychoudhary-eval-test.apigee.net/getaccesstoken?client_id=qeGhD9KWayj3uxnSjA2I9JH8TvOSwjZQ...

Response I am getting is

http://localhost:9090/login.html?code=Nx5AeWq2&scope=

Screenshot attached. It is suppose to generate the OAuth Code after successful login and consent Authorization. Can you please suggest me on this.

jaupadhyay

Hi @Bicky Choudhary

Please check the following Apigee documentation page link which explains in quite detail about Authorization grant type flow.

https://docs.apigee.com/api-platform/security/oauth/oauth-v2-policy-authorization-code-grant-type.ht...

If you see Client App makes the call to Apigee Gateway and that's where proxies you have deployed come in play. but outside that call there are few actions performed by either User ( eg provide credentials , consents) or User Agent ( web site code which makes call to apigee end point which extracts code from authcode and makes next call to Apigee get access token)

so in order to achieve final goal you need to follow the flow mentioned in above link diagram and write code on client app consuming apigee proxies end point.

Hope this helps.

Regards

Jayesh

dchiesa1

Here's another example.

https://github.com/DinoChiesa/devjam3-20170405/tree/master/Labs/Core/06-Securing-APIs-with-OAuth-3-l...

No video, but that page provides step by step instructions.

bickychoudhary

Hi,

I have gone through the link shared by you and tried to implement the same but still its confusing me in the below steps.

Obtain a token

Now, we'll go through the 3-legged flow to obtain a token that authenticates both the client app and the end user of the app.

In the Apigee UI, Navigate to Develop...Proxies...
Select the API Proxy called oauth2-ac (or similar). Note: this is not the proxy that you created earlier. This is a proxy that was configured for you; one proxy that is used by everyone.
From the Proxy overview panel, copy the URL for your OAuth API proxy.

About the highlighted point no 2.

There is no any proxy with the name as oauth2-ac. Do i need to create a new proxy with the OauthCode policy?

Actually I am unable to redirect to login app form apigee oauth server, in the oauthcode flow. If possible can you please tell me the clear configuration steps to configure the login application so that if i call to the oauth server then after validating the client id , the call must redirect to the login page.

Secondly I want to send a consent id , once the call redirect to the login page or with the login page.

Really appreciating your comments.

Thanks

dchiesa1

Hi -

You must deploy the oauth2-ac proxy yourself. Check the readme in the Pre-requisites section:

I'm not sure what you mean by consent id. But anyway if you start with the oauth2-ac proxy, you may be able to make some progress.

Report Inappropriate Content

I just recently implemented the 3 legged oauth, called Authorization code grant type.

I hosted one HTML file for logging the credentials. This is calling an api which will do LDAP verification of credentials and pass the grant type as code and redirect uri.

This api will take you to another html page called consent page where only two options are there allow and deny.

Once you click allow it will take you to the redirect uri with a code in the url. No will reject the process with custom error from api.

Now the code will be collected from above, with correct client id and secret request will be sent to token generation api which will provide access and refresh token in the response.