how to generate a new token using refresh token

sundarprince · 08-06-2020 03:20 AM

Hi Team,

I have generated a new access token and refresh token for the machine user.

https://docs.apigee.com/api-platform/system-administration/automating-tasks

I got a new access and refresh token using the following command.

curl -H "Content-Type: application/x-www-form-urlencoded;charset=utf-8" \
  -H "accept: application/json;charset=utf-8" \
  -H "Authorization: Basic ZWRnZWNsaTplZGdlY2xpc2VjcmV0" -X POST \
  https://zoneName.login.apigee.com/oauth/token -s \
  -d 'grant_type=password&username=machineusername&password=machineuserpassword'

Access token is expired now. Now i have generated a new token using refresh token.

curl -H "Content-Type:application/x-www-form-urlencoded;charset=utf-8" \
  -H "Accept: application/json;charset=utf-8" \
  -H "Authorization: Basic ZWRnZWNsaTplZGdlY2xpc2VjcmV0" -X POST \
  https://zoneName.login.apigee.com/oauth/token \
  -d 'grant_type=refresh_token&refresh_token=REFRESH_TOKEN'

I got a new access and refresh token. Which token i should use? I used the refresh token but it got expired today. Please find the below Jenkins console output error

Access token not valid so acquiring new access token using Refresh Token

Please let me know which token i should use for longer validation?

Also i came across this page but they have not updated the exact steps how they fixed it?

I have last expired access and refresh token with me. Please let me know some steps to fix it.

https://community.apigee.com/questions/51963/how-to-get-last-associated-access-token-with-refre.html

Report Inappropriate Content

once you generate a new token using the refresh token, that refresh token will not work more. You have to use new access and refresh token you got. That refresh token can be used to get new access and refresh token again.

your refresh token can be used only once to get another set of tokens. Every time you use the new one. For long run you can increase the expiry time of tokens.

sundarprince

I'm using the new access token. Let me see how long it takes to expire. Also how to increase the expiry time as 30 days?

deboraelkin

You can configure the access token and refresh token expiry in the OAuthV2 policy used to generate the tokens

Report Inappropriate Content

The lifetime of the token will be specified in the policy. A reasonable value for the expiry of the refreshtoken is 30 days, but accesstoken expiry should be much less, maybe limited to an hour or less. Else you may face Cassandra space issue in long run. Below are the two tags of the OAuthV2 policy, the first one for the accesstoken expiry and the second one for refresh token expiry in milliseconds.

    <!--
    ExpiresIn, in milliseconds. The ref is optional. The explicitly specified
    value is the default, when the variable reference cannot be resolved.
    For example:
      2400000 = 40 minutes
      3600000 = 60 minutes
    -->
    <ExpiresIn ref='flow.variable'>2400000</ExpiresIn>

    <!--
    RefreshTokenExpiresIn, in milliseconds. Optional; if it is not
    specified, the default value will be used which is -1 (no expiration).
    For example:
      691200000 = 8 days
      2592000000 = 30 days
    -->
    <RefreshTokenExpiresIn>691200000</RefreshTokenExpiresIn>

sundarprince

My access token got expired today as well. Looks like access token expires in less than 12 hours. Please note i'm not generating token using any policy instead i'm just using an API call to generate the token on daily basis. Do i need to update the access token on daily basis in CICD pipeline? Then i don't think machine user doesn't serves the purpose.

I don't understand one point is i need to create a new policy in the existing API proxy and update the access and refresh token expiry? I'm not trying to use access and refresh token on API proxy instead i'm using it on CICD for all the API proxies. Can you help me in getting the exact steps to understand and finish this work.

Report Inappropriate Content

The API you are using generates token. Is not it in apigee?

The expiry time can also be set at the configuration of the organization.

In case if machine if it is trusted one then you can use client_credentials grant type. That will not have refresh token. Everyday one token you can generate that will expire in 24 hours. in Every 24 hours generate new access token.

What is the purpose of your CICD? And what is your requiremnt for authentication ?

sundarprince

Hi Priyadarshi,

I have built a CICD pipeline using apigee config and deploy maven plugins. This will create API proxies and other configuration resources. We are using SAML based authentication in our Organisation.

I'm making an API call daily to get access token and using it in CICD pipeline which will acquire access token and builds the proxy.

I came to know if i use machine user token generation process will be automated. Though i'm using machine user token generation process is not automated. Please give me some proper steps to achieve this goal.

Report Inappropriate Content

I did not try this earlier.

You can go through the link and can see

"With this form of the command, if the access token has expired, it is automatically refreshed until the refresh token expire"

https://docs.apigee.com/private-cloud/v4.18.05/using-saml-edge-management-api

ssvaidyanathan

Think he wants a solution with the Maven plugin

ssvaidyanathan

@Sundar Prince

You can use the refresh token to generate the new token as long as the refresh token is valid. But if you have machine user configured, why not just use that. The plugin should create the token and using that it should interact with the Management API. Hope you have configured the plugin to use OAuth with the machine user and password?

Please share your Maven profile you are using - I can tell what is missing

sundarprince

I Just followed the below link to configure the machine user.

I have set Oauth authentication and machine user credentials in profiles.

https://docs.apigee.com/api-platform/system-administration/automating-tasks

How the plugin creates token by itself? Do we need to configure anything specific apart from this?

Like i said in my previous comments I have generated a new access and refresh token using existing refresh token. If i use it, it works for 12 hours only. Next day if i run the pipeline i get the following error and i'm generating a new token.

Access token not valid so acquiring new access token usingRefreshToken

ssvaidyanathan

You dont need to do that with the Maven plugin. The plugin can do it for you. Please share your Maven profile, I will provide you with the right details so that your pipeline will work without token being passed.

sundarprince

<apigee.profile>dev</apigee.profile> <apigee.hosturl>https://api.enterprise.apigee.com</apigee.hosturl> <apigee.apiversion>v1</apigee.apiversion>

<apigee.org>REDACTED</apigee.org>

<apigee.env>dev</apigee.env>

<apigee.authtype>oauth</apigee.authtype> <apigee.tokenurl>https://ZONENAME.login.apigee.com/oauth/token</apigee.tokenurl> <apigee.clientsecret>${profile.apigee.clientSecret}</apigee.clientsecret> <apigee.username>${apigee.username.value}</apigee.username> <apigee.password>${apigee.password.value}</apigee.password> <apigee.bearer>${apigee.token.value}</apigee.bearer> <apigee.refresh>${apigee.refresh.value}</apigee.refresh>

</properties>

</profile>

ssvaidyanathan

Can you please paste it with the code block enabled ? It hasnt come up correctly

sundarprince

<profile>
    <id>dev</id>
        <properties>
            <apigee.profile>dev</apigee.profile>
            <apigee.hosturl>https://api.enterprise.apigee.com</apigee.hosturl>
            <apigee.apiversion>v1</apigee.apiversion>
            <apigee.org>REDACTED</apigee.org>
            <apigee.env>dev</apigee.env>
            <apigee.authtype>oauth</apigee.authtype>
            <apigee.tokenurl>https://ZONENAME.login.apigee.com/oauth/token</apigee.tokenurl>
            <apigee.clientsecret>${profile.apigee.clientSecret}</apigee.clientsecret>
            <apigee.username>${apigee.username.value}</apigee.username>
            <apigee.password>${apigee.password.value}</apigee.password>
            <apigee.bearer>${apigee.token.value}</apigee.bearer>
            <apigee.refresh>${apigee.refresh.value}</apigee.refresh>
        </properties>
</profile>

ssvaidyanathan

Ok - Please remove the apigee.bearer and apigee.refresh properties. You can remove the apigee.clientsecret as well as the plugin uses the default.

Hope in the tokenurl, you are passing the correct zonename you have configured?

Once removed, just run the maven command without the bearer token or refresh token argument.

sundarprince

Yes. I have configured the right zone name. Also i have been generating token on daily basis with right zone.

I have made changes like you said but not helpful. Request is unable to come out of the proxy network.

16:49:51  [INFO] set proxy to REDACTED
16:49:51  [DEBUG] set proxy credentials
16:49:51  [DEBUG] URL parameters API Version v1
16:49:51  [DEBUG] URL parameters URL https://api.enterprise.apigee.com
16:49:51  [DEBUG] URL parameters Org REDACTED
16:49:51  [DEBUG] URL parameters App REDACTED
16:49:52  [INFO] Acquiring mgmt API token from REDACTED
16:49:52  [INFO] MFA token not provided. Skipping.
16:49:52  [DEBUG] HTTP POST REDACTED
16:49:52  [DEBUG] Accept=[text/plain, application/json, application/*+json, */*]
16:49:52  [DEBUG] Writing [{username=[REDACTED], password=[REDACTED], grant_type=[password]}] as "application/x-www-form-urlencoded"
16:49:52  [INFO] ------------------------------------------------------------------------
16:49:52  [INFO] BUILD FAILURE
16:49:52  [INFO] ------------------------------------------------------------------------
16:49:52  [INFO] Total time: 2.554 s
16:49:52  [INFO] Finished at: 2020-08-07T15:49:52+00:00
16:49:53  [INFO] Final Memory: 14M/166M
16:49:53  [INFO] ------------------------------------------------------------------------
16:49:53  [ERROR] Failed to execute goal io.apigee.build-tools.enterprise4g:apigee-edge-maven-plugin:1.2.1:deploy (default-cli) on project REDACTED: Execution default-cli of goal io.apigee.build-tools.enterprise4g:apigee-edge-maven-plugin:1.2.1:deploy failed: I/O error on POST request for "REDACTED": Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"; nested exception is java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required" -> [Help 1]
16:49:53  org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal io.apigee.build-tools.enterprise4g:apigee-edge-maven-plugin:1.2.1:deploy (default-cli) on project REDACTED: Execution default-cli of goal io.apigee.build-tools.enterprise4g:apigee-edge-maven-plugin:1.2.1:deploy failed: I/O error on POST request for "REDACTED": Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"; nested exception is java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
16:49:53  	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)
16:49:53  	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
16:49:53  	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
16:49:53  	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
16:49:53  	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
16:49:53  	at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
16:49:53  	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
16:49:53  	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
16:49:53  	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
16:49:53  	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
16:49:53  	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863)
16:49:53  	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
16:49:53  	at org.apache.maven.cli.MavenCli.main(MavenCli.java:199)
16:49:53  	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
16:49:53  	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
16:49:53  	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
16:49:53  	at java.lang.reflect.Method.invoke(Method.java:498)
16:49:53  	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
16:49:53  	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
16:49:53  	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)

ssvaidyanathan

Looks like its something to do with the proxy credentials. Please confirm if thats working

sundarprince

Yes. I have cross checked proxy credentials are working fine.

ssvaidyanathan

The plugin worked for you before enabling OAuth right ? You were able to deploy the proxy using the plugin with your Corp proxy settings with credentials

sundarprince

Yes i were able to deploy the proxies using basic authentication before enabling SAML. After enabling i'm using access tokens to deploy the proxies with my edge account. Now the pipelines will be used by developers so i have enabled machine user to use as a permanent one. I was not aware that i can use without access and refresh tokens.

dchiesa1

I don't understand one point is i need to create a new policy in the existing API proxy and update the access and refresh token expiry?

No, there is no policy to "update" the expiry. There is no way to "update" the expiry. The expiry of a token (refresh or access) is set when the token is generated, and thereafter it does not change.

You CAN create a new OAuthV2 policy in your token dispensing proxy, which uses Operation=RefreshAccessToken. Invoking this with the proper input will generate a new accesstoken and a new refresh token. And then of course the expiries of the new access token and refresh token will be ... new! But these are new tokens with new expiries, not the old token with an updated expiry.