Adding custom attributes to access token using SetOAuthV2Info policy not working
Hi
I have an access token which already has two custom attributes - email and profile. Now in one of the subsequent proxy calls , I need to add another attribute called username to the access token. This is returned in a json response of the specific proxy call. So in the response I have a Extract variable policy which extracts the value
<JSONPayload>
<Variable name="username">
<JSONPath>$.user.username</JSONPath>
</Variable>
</JSONPayload>
This policy is working fine.
Now I am trying to add this to the access token using a SetOAuthV2Info policy and this is giving me Execution error at the policy.
<SetOAuthV2Info name="Set-OAuth-v20-Info-1">
<DisplayName>Set OAuth v2.0 Info-1</DisplayName>
<AccessToken ref="request.header.authorization"/>
<Attributes>
<Attribute name="username" ref="username"/>
</Attributes>
</SetOAuthV2Info>
I have tried all possible ways. Even when I set a hard coded value, it still gives me execution error.
So I have also tried setting a hard coded value - "test" to it and it still does not work
<SetOAuthV2Info name="Set-OAuth-v20-Info-1">
<DisplayName>Set OAuth v2.0 Info-1</DisplayName>
<AccessToken ref="request.header.authorization"/>
<Attributes>
<Attribute name="username">test</Attribute>
</Attributes>
</SetOAuthV2Info>
I am not sure where I am making an error.
this is giving me Execution error at the policy.
What is the error? Can you give some additional information?
When I trace it , it just stops processing at this policy and gives execution error. Note this is in the response.
I am at my wits end trying to understand why.
Answer by Sai Saran Vaidyanathan
·
Jun 11, 2020 at 06:27 PM
@Nilanjan Chaudhuri
In your SetOAuthV2Info, instead of passing request.header.Authorization, can you pass just the token. I guess the "accesstoken" variable should be already populated. The auth header has a "Bearer" prefix as well and due to that it could be possibly failing. Can you try changing to somethign like this
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <SetOAuthV2Info async="false" continueOnError="false" enabled="true" name="Set-OAuth-v20-Info-1"> <DisplayName>Set OAuth v2.0 Info-1</DisplayName> <AccessToken ref="accesstoken"/> <Attributes> <Attribute name="username">test</Attribute> </Attributes> </SetOAuthV2Info>
It works* for me.
I built a loopback proxy that has two flows:
- one that verifies the access token and returns some of the data attached to the token, including the custom attribute "username" .
- Another that verifies the access token and then uses SetOAuthV2Info to set the username custom attr on the token.
The steps I followed
- get a token
- invoke the "get info" flow (the first one I described above). See there is no custom attr on the token. (Note the time)
- invoke the "set info" flow, passing new data to set on the token.
- invoke the "get info" flow immediately. See that there is still no custom attr on the token.!!!
- Wait 3 minutes
- Invoke the "get info" flow again. See that the expected custom attr is on the token.
Why "wait 3 minutes"?
* There is a cache with a TTL of 180 seconds in the MP that stores tokens and token attributes. Any change in the token will not be immediately available in the API Proxy. Actually, it's a little more subtle than that. There are multiple message processors (MPs) running your API Proxy. The cache is specific to the MP node. The MP that handles the request that invokes SetOAuthV2Info ... will "see" the updated attribute in the cache. Any other MP, will (may) see cached data until the expiry.
You could consider the behavior of the cache to be a bug. I'd agree with you there. a possible workaround is to always mint a new token when you want to set /update a custom attribute.
See attached for a working example.
Thanks. I will try this. However my flow is just about setting the attributes using the policy and it is failing which is not clear to me.
This is my flow
So Proxy 1 is called when the user logs in , access token is returned and I successfully set 2 attributes (email and profile) with the access token. This works.
Now the application call proxy 2 with the access token. The access token is verified sccessfully and then backend end point is called and a response is returned. I am trying to parse this response and get a variable called username (using Extact Variable) which is working fine and then set this as an additional attribute of the access token using the Srt policy again. This is where it is failing. I am not sure why.
Also I am unable to access the attachment you have attached. It gives me 403 forbidden.
I just wrote a quick proxy. Please see attached.oauth-set-custom-attribute-rev1-2020-06-11.zip
This proxy has three flows:
1) POST /token - to generate a token
Sample curl:
curl --location --request POST 'https://{org}-{env}.apigee.net/oauth-set-custom-attribute/token' \--header 'Content-Type: application/x-www-form-urlencoded' \--data-urlencode 'grant_type=client_credentials' \--data-urlencode 'client_id={client_id}' \--data-urlencode 'client_secret={client_secret}'
This should generate a response and give a token. I have added a harcoded "foo" attribute in the GenerateAccesstoken policy
2) POST /attributes - to set username to the custom attribute
Sample curl:
curl --location --request POST 'https://{org}-{env}.apigee.net/oauth-set-custom-attribute/attributes' \
--header 'Authorization: Bearer {token}' \
--header 'Content-Type: application/json' \
--data-raw '{
"user":{
"username":"testuser"
}
}'
This should set the attribute to the token you are passing in the header
3) GET /verify - to verify the token and show the custom attributes
curl --location --request GET 'https://{org}-{env}.apigee.net/oauth-set-custom-attribute/verify' \
--header 'Authorization: Bearer {token}'
This should show the list of attributes in TRACE. The variables will have a prefix of "accesstoken". See the screenshot below
