Adding custom attributes to access token using SetOAuthV2Info policy not working

Hi

I have an access token which already has two custom attributes - email and profile. Now in one of the subsequent proxy calls , I need to add another attribute called username to the access token. This is returned in a json response of the specific proxy call. So in the response I have a Extract variable policy which extracts the value

<JSONPayload>
  <Variable name="username">
    <JSONPath>$.user.username</JSONPath>
  </Variable>
</JSONPayload>

This policy is working fine.

Now I am trying to add this to the access token using a SetOAuthV2Info policy and this is giving me Execution error at the policy.

<SetOAuthV2Info name="Set-OAuth-v20-Info-1"> 
  <DisplayName>Set OAuth v2.0 Info-1</DisplayName> 
  <AccessToken ref="request.header.authorization"/> 
  <Attributes> 
    <Attribute name="username" ref="username"/> 
  </Attributes> 
</SetOAuthV2Info>

I have tried all possible ways. Even when I set a hard coded value, it still gives me execution error.

So I have also tried setting a hard coded value - "test" to it and it still does not work

  <SetOAuthV2Info name="Set-OAuth-v20-Info-1"> 
    <DisplayName>Set OAuth v2.0 Info-1</DisplayName> 
    <AccessToken ref="request.header.authorization"/> 
    <Attributes> 
      <Attribute name="username">test</Attribute> 
    </Attributes> 
  </SetOAuthV2Info>

I am not sure where I am making an error.

@Dino @Dino-at-Google

0 15 993
15 REPLIES 15

Kindly help. I am stuck in this.


this is giving me Execution error at the policy.

What is the error? Can you give some additional information?

When I trace it , it just stops processing at this policy and gives execution error. Note this is in the response.

I am at my wits end trying to understand why.

When I trace the proxy in Edge , it shows me 200 for the policy but gives an error symbol and when I hover over it , it states execution error.

Attached is the screenshoterror.jpg

Kindly help find what is incorrect here.

I tried check the fault cause. But its blank

SetOAuthV2Info.Set-OAuth-v20-Info-2.failed true
SetOAuthV2Info.Set-OAuth-v20-Info-2.fault.cause
SetOAuthV2Info.Set-OAuth-v20-Info-2.fault.name

I also tried using the policy in the Request flow but that too failed at the policy with the same error - Execution error.

@Dino-at-Google Please see the additoinal information above as you had asked for. Any help would be greatly appreciated

@Nilanjan Chaudhuri

In your SetOAuthV2Info, instead of passing request.header.Authorization, can you pass just the token. I guess the "accesstoken" variable should be already populated. The auth header has a "Bearer" prefix as well and due to that it could be possibly failing. Can you try changing to somethign like this

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<SetOAuthV2Info async="false" continueOnError="false" enabled="true" name="Set-OAuth-v20-Info-1">
	 <DisplayName>Set OAuth v2.0 Info-1</DisplayName> 
	 <AccessToken ref="accesstoken"/> 
	 <Attributes> 
	 	<Attribute name="username">test</Attribute>
	 </Attributes>
</SetOAuthV2Info>

This didn't work either mate

It works* for me.

I built a loopback proxy that has two flows:

  • one that verifies the access token and returns some of the data attached to the token, including the custom attribute "username" .
  • Another that verifies the access token and then uses SetOAuthV2Info to set the username custom attr on the token.

The steps I followed

  1. get a token
  2. invoke the "get info" flow (the first one I described above). See there is no custom attr on the token. (Note the time)
  3. invoke the "set info" flow, passing new data to set on the token.
  4. invoke the "get info" flow immediately. See that there is still no custom attr on the token.!!!
  5. Wait 3 minutes
  6. Invoke the "get info" flow again. See that the expected custom attr is on the token.

Why "wait 3 minutes"?

* There is a cache with a TTL of 180 seconds in the MP that stores tokens and token attributes. Any change in the token will not be immediately available in the API Proxy. Actually, it's a little more subtle than that. There are multiple message processors (MPs) running your API Proxy. The cache is specific to the MP node. The MP that handles the request that invokes SetOAuthV2Info ... will "see" the updated attribute in the cache. Any other MP, will (may) see cached data until the expiry.

You could consider the behavior of the cache to be a bug. I'd agree with you there. a possible workaround is to always mint a new token when you want to set /update a custom attribute.

See attached for a working example.

apiproxy-setoauthv2info.zip

Thanks. I will try this. However my flow is just about setting the attributes using the policy and it is failing which is not clear to me.

This is my flow

So Proxy 1 is called when the user logs in , access token is returned and I successfully set 2 attributes (email and profile) with the access token. This works.

Now the application call proxy 2 with the access token. The access token is verified sccessfully and then backend end point is called and a response is returned. I am trying to parse this response and get a variable called username (using Extact Variable) which is working fine and then set this as an additional attribute of the access token using the Srt policy again. This is where it is failing. I am not sure why.

Also I am unable to access the attachment you have attached. It gives me 403 forbidden.

Are you setting the email and profile attributes using Set OAuth policy ?

Yes that works fine. No problems with that. That is in the same flow when I get the access token.

The issue is when I am trying to set a new attribute to the access token later on in another flow using the SetOAuth policy. That is not working. So all I am trying to do is that the access token had 2 attributes - email and profile. I am now trying to add another attribute called username as part of another proxy flow. This is when the Set OAuth policy is failing

Is the 2nd proxy part of the same API product for which the initial token was generated ?

Hi @Nilanjan Chaudhuri

I just wrote a quick proxy. Please see attached.oauth-set-custom-attribute-rev1-2020-06-11.zip

This proxy has three flows:

1) POST /token - to generate a token

Sample curl:

curl --location --request POST 'https://{org}-{env}.apigee.net/oauth-set-custom-attribute/token' \--header 'Content-Type: application/x-www-form-urlencoded' \--data-urlencode 'grant_type=client_credentials' \--data-urlencode 'client_id={client_id}' \--data-urlencode 'client_secret={client_secret}'

This should generate a response and give a token. I have added a harcoded "foo" attribute in the GenerateAccesstoken policy

2) POST /attributes - to set username to the custom attribute

Sample curl:

curl --location --request POST 'https://{org}-{env}.apigee.net/oauth-set-custom-attribute/attributes' \
--header 'Authorization: Bearer {token}' \
--header 'Content-Type: application/json' \
--data-raw '{
    "user":{
        "username":"testuser" 
    }
}'

This should set the attribute to the token you are passing in the header

3) GET /verify - to verify the token and show the custom attributes

curl --location --request GET 'https://{org}-{env}.apigee.net/oauth-set-custom-attribute/verify' \
--header 'Authorization: Bearer {token}'

This should show the list of attributes in TRACE. The variables will have a prefix of "accesstoken". See the screenshot below

10003-screenshot-1.png