{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Edge/API Management /
avatar image
0
Question by Nilanjan Chaudhuri · Jun 11, 2020 at 10:00 AM · 103 Views access tokencustom attributes

Adding custom attributes to access token using SetOAuthV2Info policy not working

Hi

I have an access token which already has two custom attributes - email and profile. Now in one of the subsequent proxy calls , I need to add another attribute called username to the access token. This is returned in a json response of the specific proxy call. So in the response I have a Extract variable policy which extracts the value

<JSONPayload>
  <Variable name="username">
    <JSONPath>$.user.username</JSONPath>
  </Variable>
</JSONPayload>

This policy is working fine.

Now I am trying to add this to the access token using a SetOAuthV2Info policy and this is giving me Execution error at the policy.

<SetOAuthV2Info name="Set-OAuth-v20-Info-1"> 
  <DisplayName>Set OAuth v2.0 Info-1</DisplayName> 
  <AccessToken ref="request.header.authorization"/> 
  <Attributes> 
    <Attribute name="username" ref="username"/> 
  </Attributes> 
</SetOAuthV2Info>

I have tried all possible ways. Even when I set a hard coded value, it still gives me execution error.

So I have also tried setting a hard coded value - "test" to it and it still does not work

  <SetOAuthV2Info name="Set-OAuth-v20-Info-1"> 
    <DisplayName>Set OAuth v2.0 Info-1</DisplayName> 
    <AccessToken ref="request.header.authorization"/> 
    <Attributes> 
      <Attribute name="username">test</Attribute> 
    </Attributes> 
  </SetOAuthV2Info>

I am not sure where I am making an error.

@Dino @Dino-at-Google

Comment
Add comment Show 7
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Nilanjan Chaudhuri · Jun 11, 2020 at 11:46 AM 0
Link

Kindly help. I am stuck in this.


avatar image Dino-at-Google ♦♦ Nilanjan Chaudhuri   · Jun 11, 2020 at 06:24 PM 0
Link

this is giving me Execution error at the policy.

What is the error? Can you give some additional information?

avatar image Nilanjan Chaudhuri Dino-at-Google ♦♦ · Jun 11, 2020 at 08:34 PM 0
Link

When I trace it , it just stops processing at this policy and gives execution error. Note this is in the response.

I am at my wits end trying to understand why.

Show more comments

Close

1 Answer

  • Sort: 
avatar image
1

Answer by Sai Saran Vaidyanathan   · Jun 11, 2020 at 06:27 PM

@Nilanjan Chaudhuri

In your SetOAuthV2Info, instead of passing request.header.Authorization, can you pass just the token. I guess the "accesstoken" variable should be already populated. The auth header has a "Bearer" prefix as well and due to that it could be possibly failing. Can you try changing to somethign like this

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<SetOAuthV2Info async="false" continueOnError="false" enabled="true" name="Set-OAuth-v20-Info-1">
	 <DisplayName>Set OAuth v2.0 Info-1</DisplayName> 
	 <AccessToken ref="accesstoken"/> 
	 <Attributes> 
	 	<Attribute name="username">test</Attribute>
	 </Attributes>
</SetOAuthV2Info>
Comment
Add comment Show 7 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Nilanjan Chaudhuri · Jun 11, 2020 at 08:43 PM 0
Link

This didn't work either mate

avatar image Dino-at-Google ♦♦ Nilanjan Chaudhuri   · Jun 11, 2020 at 09:37 PM 0
Link

It works* for me.

I built a loopback proxy that has two flows:

  • one that verifies the access token and returns some of the data attached to the token, including the custom attribute "username" .
  • Another that verifies the access token and then uses SetOAuthV2Info to set the username custom attr on the token.

The steps I followed

  1. get a token
  2. invoke the "get info" flow (the first one I described above). See there is no custom attr on the token. (Note the time)
  3. invoke the "set info" flow, passing new data to set on the token.
  4. invoke the "get info" flow immediately. See that there is still no custom attr on the token.!!!
  5. Wait 3 minutes
  6. Invoke the "get info" flow again. See that the expected custom attr is on the token.

Why "wait 3 minutes"?

* There is a cache with a TTL of 180 seconds in the MP that stores tokens and token attributes. Any change in the token will not be immediately available in the API Proxy. Actually, it's a little more subtle than that. There are multiple message processors (MPs) running your API Proxy. The cache is specific to the MP node. The MP that handles the request that invokes SetOAuthV2Info ... will "see" the updated attribute in the cache. Any other MP, will (may) see cached data until the expiry.

You could consider the behavior of the cache to be a bug. I'd agree with you there. a possible workaround is to always mint a new token when you want to set /update a custom attribute.

See attached for a working example.

apiproxy-setoauthv2info.zip

avatar image Nilanjan Chaudhuri Dino-at-Google ♦♦ · Jun 11, 2020 at 10:22 PM 0
Link

Thanks. I will try this. However my flow is just about setting the attributes using the policy and it is failing which is not clear to me.

This is my flow

So Proxy 1 is called when the user logs in , access token is returned and I successfully set 2 attributes (email and profile) with the access token. This works.

Now the application call proxy 2 with the access token. The access token is verified sccessfully and then backend end point is called and a response is returned. I am trying to parse this response and get a variable called username (using Extact Variable) which is working fine and then set this as an additional attribute of the access token using the Srt policy again. This is where it is failing. I am not sure why.

Also I am unable to access the attachment you have attached. It gives me 403 forbidden.

Show more comments
avatar image Sai Saran Vaidyanathan ♦ Nilanjan Chaudhuri   · Jun 11, 2020 at 09:49 PM 0
Link

Hi @Nilanjan Chaudhuri

I just wrote a quick proxy. Please see attached.oauth-set-custom-attribute-rev1-2020-06-11.zip

This proxy has three flows:

1) POST /token - to generate a token

Sample curl:

curl --location --request POST 'https://{org}-{env}.apigee.net/oauth-set-custom-attribute/token' \--header 'Content-Type: application/x-www-form-urlencoded' \--data-urlencode 'grant_type=client_credentials' \--data-urlencode 'client_id={client_id}' \--data-urlencode 'client_secret={client_secret}'

This should generate a response and give a token. I have added a harcoded "foo" attribute in the GenerateAccesstoken policy

2) POST /attributes - to set username to the custom attribute

Sample curl:

curl --location --request POST 'https://{org}-{env}.apigee.net/oauth-set-custom-attribute/attributes' \
--header 'Authorization: Bearer {token}' \
--header 'Content-Type: application/json' \
--data-raw '{
    "user":{
        "username":"testuser" 
    }
}'

This should set the attribute to the token you are passing in the header

3) GET /verify - to verify the token and show the custom attributes

curl --location --request GET 'https://{org}-{env}.apigee.net/oauth-set-custom-attribute/verify' \
--header 'Authorization: Bearer {token}'

This should show the list of attributes in TRACE. The variables will have a prefix of "accesstoken". See the screenshot below

Follow this Question

Answers Answers and Comments

75 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Custom Attribute variable reference not consistent on Access Token 0 Answers

How can an Access Token be revoked? When should the different mechanisms that do this be used? 1 Answer

How to add custom fields in OAuth2 access token from a target endpoint 1 Answer

Apigee Token Hashing : 0 Answers

In what time format access token's parameters are returned? 1 Answer

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Badges