Adding End User ID (app_enduser) to an existing token

Hi,

We use OOTB EDGE Oauth Policies to secure our Mobile App APIs; specifically a vanilla implementation of password grant_type and issuance of access_token & refresh_token.

It is desirable to be able to revoke tokens for specific customers but we have not populated the app_enduser field (aka 'end user ID'). All Mobile Apps must refresh their tokens every 30 days and it is desirable to populate the app_enduser field, based on data from Target, during the next token refresh if it is not already there.

The Apidoc [1] suggests this is possible "The procedure below describes how add an end user ID to an existing token" but there is no further information on this.

So my question is, How do I add the app_enduser field to existing tokens?

(I am comfortable with how to do this for new tokens)

[1] https://docs.apigee.com/api-platform/security/oauth/enable-retrieval-and-revocation-oauth-20-access-...

1 3 196
3 REPLIES 3

I believe you want the SetOauthV2Info policy.

I can see how to use the SetOauthV2Info policy to change / add custom attributes but app_enduser appears to be different.

Let's say I want to update* the app_enduser from "112233" to "ABCDE" in an existing token and I try to do this using the following SetOauthV2Info policies....

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SetOAuthV2Info async="false" continueOnError="false" enabled="true" name="OA-SetInfo-EndUserID">
    <DisplayName>OA-SetInfo-EndUserID</DisplayName>
    <AccessToken ref="oauthv2accesstoken.OA-RefreshToken-NoResponse.access_token"/>
    <Attributes>
        <Attribute name="appUserId" ref="request.formparam.end_user_id"/>
    </Attributes>
</SetOAuthV2Info>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SetOAuthV2Info async="false" continueOnError="false" enabled="true" name="OA-SetInfo-EndUserID">
    <DisplayName>OA-SetInfo-EndUserID</DisplayName>
    <AccessToken ref="oauthv2accesstoken.OA-RefreshToken.access_token"/>
    <Attributes>
        <Attribute name="app_enduser" ref="request.formparam.end_user_id"/>
    </Attributes>
</SetOAuthV2Info>

I get this token that has two appUserID, but I can only retrieve it as per [1] in original post using the value of "112233".

{
 "apiProducts": [],
 "app": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
 "appId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
 "appUserId": "112233",
 "attributes": [
   {
     "name": "app_enduser",
     "value": "ABCDE"
   },
   {
     "name": "appUserId",
     "value": "ABCDE"
   }
 ],
 "clientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
 "createdAt": 1582310308929,
 "expiresAt": 1582314681745,
 "grantType": "refresh_token",
 "issuedAt": 1582311081746,
 "lastModifiedAt": 1582311081757,
 "refreshCount": 2,
 "refreshToken": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
 "refreshTokenExpiresAt": 1582339108929,
 "refreshTokenIssuedAt": 1582310308929,
 "refreshTokenStatus": "approved",
 "scope": "",
 "status": "approved",
 "token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
 "tokenType": "BearerToken"
}

*I know my original use case was different - to Add app_enduser to existing token. When I use above policies on these tokens the only difference is that the line "appUserId": "112233", is not present before or after above policies are executed.

Not applicable

You will get this only if during the token generation the policy has the property tag added.