OAuth2 client credentials don't working at portal

andrewshytiy
Participant II

Hello everyone! I have trial Edge license and Edge (4.19.06) at Private cloud. I have problem with OAuth2 (grant_type=client_credentials) on the portal (7.69). I install smartdocs_oauth_additions module and enable it. I set up OAuth2 security scheme for my model.

9834-scheme.jpg

9835-methods.jpg

Here I don't fully understand the difference between authorization and access token url.

If I go to the portal in any method of my model on the portal and press the OAuth2 button, I see a form in which I can not enter a consumer ID and secret.

9836-result.jpg

After clicking OK, I get an error:

"Unable to proceed because of missing OAuth configuration."

What I did not consider when setting up OAuth2?

I would be grateful for practical advice.

Thanks.

0 18 1,142
18 REPLIES 18

andrewshytiy
Participant II

When I click on OAuth2 button I geе the following errors:

9848-result1.jpg

I added CORS to my proxy, but the error did not disappear.

What resource should be specified in the authorization URL field in the security scheme? Thank you.

andrewshytiy
Participant II

I missed one error. I get this error first:

GET http://172.27.42.20:8079/sites/all/modules/smartdocs_oauth_additions-master/smartdocs_oauth_addition... net::ERR_ABORTED 403 (Forbidden)

The module was loaded and enabled without errors. What rights may be missing for smartdocs_oauth_additions?

Check the response from your OAuth token endpoint, make sure its overriding the builtin in token_type, Apigee incorrectly sets "BearerToken", it should be just "Bearer".
See the docs here: https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy#non-rfc-compliant-behavior

Good day, Kurt. It seems to be all right with this. I redefine the response when generating the token using the Assign Message Policy.

This is the response from my Oauth2 endpoint.

9861-clipboard02.jpg

And this is a screenshot of my policy overriding the response:

9862-clipboard04.jpg

I'm not sure if my security scheme is configured correctly for the model:

9863-clipboard05.jpg

What should I set as an Authorization URL?

As I understand it, here I need to write the path to the flow, which verifying the token.

My errors are still the same.

I believe the authorization url normally ends in /authorize

Hello, Dino. This stand is a test. I would really like to understand how to configure Oauth2 from the portal. If I send requests manually through Postman, the whole chain works. I wish that the API could be used directly from the portal under OAuth2.

Is such name (/authorize) required for the authorization endpoint? I found this topic. I can’t understand what policy should be implemented on /authorize? Is Apigee offers a ready-made solution for authorization or is it a manual programming?

I read the article "Using SmartDocs to document API". It literally says so: "The Authorization URL is used to obtain the access token.". It’s problematic to understand what this url is.

As I understand it, authorization URL is a page where the user can enter the key and secret of the application. Maybe I'm wrong? Perhaps this is the url that confirms the token (VerifyAccessToken)?

If this is a login page, should I create a html page myself with the Key and Secret fields and the Submit button (for example, using RaiseFault policy)?

I can't find a complete description of the settings for this process. Plus, there are some errors associated with the operation of the smartdocs_oauth_additions module. I just go to the method page of my model and see this:

9868-clipboard06.jpg

"smartdocs_oauth_additions" module was loaded into SmartDocs without errors.

It's not clear to me how I can configure OAuth2 on the portal.

In my understanding, having a Consumer key and a secret, I must click on "OAuth2 Set" button, enter them in some form and get an access token in order to be able to make requests directly from the portal ("Send this request" button).

By the way, a model with the same methods, but not using OAuth2, works fine from portal. That is the problem in setting up a security scheme at portal. Thank you.

Looks like you are specifying Authorization Code grant type, not Client Credentials in your Open API Spec. Here's what I use for OAS 3.0.

security:
  - ClientCredentials: []
  - Password: []
components:
  securitySchemes:
    ClientCredentials:
      type: oauth2
      flows: 
        clientCredentials: 
          tokenUrl: https://ORG-test.apigee.net/oauth/v1/token
          scopes: {}
    Password:
      type: oauth2
      flows: 
        password:
          tokenUrl: https://ORG-test.apigee.net/oauth/v1/token
          scopes: {}

Here's a screen shot from my Drupal 8 portal

9869-api-oauth.png

Hope that helps.

On the portal (I have drupal 7.69 with Private Cloud 4.19.06) it is possible to import only swagger version 1.2 (I originally had the openapi 3.0.1 yaml file). Only after converting it to wadl I was able to upload the API description on the portal.

No other grant grant can be selected here. Advised in many topics to use a special module on Github. I uploaded it to Smartocs. Yes, now I see this phrase in the settings of the security scheme:

9872-clipboard07.jpg

But as you can see from the screenshot, you cannot choose another grant type. Plus the warnings from this module that I mentioned in comment above.

I don’t know if it makes sense to try to complete the API security configuration on this version of the portal or refuse 7.69 and switch to 8?

By the way, is it possible to install another version 8 on a server with portal 7.69?

Oh, my bad, you did state D7 early on. I'd move to Drupal 8.

https://docs.apigee.com/api-platform/publish/drupal/open-source-drupal-8

Hello! I uninstalled the portal 7.69 (it still happened). I have installed Drupal 8 (Apigee Developer Portal Kickstart).

1. Do I understand correctly that all security settings (OAuth 2 client credentials), the target endpoint to which my API proxy is configured, should be written in the OpenApi specification? Is it possible to specify these settings in the GUI?

2. Is it possible to create an API specification from scratch?

Apparently, I can only upload the finished spec to the portal.

Thanks.

There isn't a GUI in the Developer Portal, but there are a lot of tools out there you can use such as https://editor.swagger.io. Once complete you can upload the file. Yes, you can create an API spec from scratch, I usually use an example to start such as these: https://github.com/OAI/OpenAPI-Specification/tree/master/examples/v3.0

Hello, Chris! Yes, I was able to upload spec with OAuth client credentials. But I have problems with performing requests from the portal. As in the portal version 7.69 there were errors associated with СORS:

9884-clipboard08.jpg

When I set a https URL in my spec, I get an error ERR_TUNNEL_CONNECTION_FAILED.

By running the track on my OAuth2 proxy and trying to authorize on the portal, I see that the error occurs on the options request:

9887-clipboard11.jpg

My API proxy, which generates a token, contains an Add Cors policy on preflow.

9885-clipboard09.jpg

Add Cors Policy definition:

9886-clipboard10.jpg

I found an article that describes how to configure cors.config in ../devportal/web/sites/default/services.yml. But not sure if this will help.

Maybe a stupid question - but how to stop, start, restart a new Drupal without restarting the server?

Another thought: my status report shows an error "TRUSTED HOST SETTINGS Not enabled". Should I change my settings.php?

I'm stuck with CORS. It would seem that there are so many articles describing this problem, but I can’t solve it.

Hello everyone!

I made changes in the flow, which makes get requests to the target endpoint.

I added a condition to the VerifyAccessToken policy located in pre-flow:

<Step>
                <Condition>(request.verb != "OPTIONS")</Condition>
                <Name>OA-VerifyAccessToken</Name>
            </Step>

I added the conditional flow OptionsPreFlight.

        <Flow name="OptionsPreFlight">
            <Description>adds an Add CORS policy, containing the CORS headers, to the flow if an OPTIONS request is received</Description>
            <Request/>
            <Response>
                <Step>
                    <Name>OPTIONS-CORS</Name>
                </Step>
            </Response>
            <Condition>request.verb == "OPTIONS"</Condition>
        </Flow>

OPTIONS-CORS is the same as in the screenshot above.

As well as an additional Route rule "NoRoute" (you should always have the default (no condition) Route at the end.):

    <RouteRule name="NoRoute">
        <Condition>request.verb == "OPTIONS" AND request.header.origin != null AND request.header.Access-Control-Request-Method != null</Condition>
    </RouteRule>
    <RouteRule name="default">
        <TargetEndpoint>default</TargetEndpoint>
    </RouteRule>

I became interested in this case: my target service was stopped. I received a token on the portal, clicked on the Execute button. On the portal I see:

Unknown status

{ "isTrusted": true }

In the page code, I see a СORS error: "No 'Access-Control-Allow-Origin' header is present on the requested resource."

In the flow trace, I see the 503 error:

9926-clipboard03.jpg

СORS policy is in all responses. Why these headers are not present in the response?How can I catch such error (503) in order to avoid the occurrence of CORS error on the client?

@home home When an API proxy encounters an error, regardless of how it occurs, it exits the normal flow pipeline, enters an error state, and returns an error message to the client app. To ensure that the error gets relayed to the portal, you would want to add a DefaultFaultRule- https://docs.apigee.com/api-platform/fundamentals/fault-handling#creatingfaultrules

Thanks, it's work.

andrewshytiy
Participant II

Hello! I had an error with CORS when calling a proxy (/oauth2/accesstoken) generating a token. Having looked at it carefully and analyzing the error with the OPTIONS request, I realized that I need to make a separate flow with OAuth2 policy to generate a token with the necessary conditions: (proxy.pathsuffix MatchesPath "/accesstoken") and (request.verb = "POST").

I realized that preflow with this policy is not suitable, because of it OPTIONS request did not pass.

9897-clipboard01.jpg

I changed proxy basepath and added another flow "AccessTokenClientCredentials". After that, I was able to log in and get a token on the portal:

9898-clipboard02.jpg

That is, for normal work with CORS, a flow that processes the preflight request OPTIONS is needed (Add CORS policy on the response):

        <Flow name="OptionsPreFlight">
            <Description/>
            <Request/>
            <Response>
                <Step>
                    <Name>Add-CORS</Name>
                </Step>
            </Response>
            <Condition>request.verb == "OPTIONS"</Condition>
        </Flow>

Since my proxy /oauth2/accesstoken does not have an endpoint, I don’t need any special route here. Just specify:

<RouteRule name="noroute"/>

Portal token generation works!

Now I need to execute 2 get requests in my API demo. CORS again!

Maybe a similar problem here. In my proxy, which processes requests to the target endpoint, the VerifyAccessToken policy is located in preflow. Accordingly, now the browser OPTIONS request does not pass again (401 error). Since there is no condition on the token verification policy, the OPTION request breaks down on it. What should I do? I would like token verification to be called from one point, and not on every method.

Or is it the wrong approach?

Thanks in advance!

Is the accesstoken passed as a bearer token in the authorization header ? Will a verifyAccesstoken for bearer work ?