OAuthV2 VerifyAccessToken Scopes and Variables

Anthony_Coelho · 01-22-2021 12:07 PM

Per the Apigee docs, the OAuthV2 policy's VerifyAccessToken operation requires you to "hard code" the Scope(s) you want to validate.

"If this element appears in a "VerifyAccessToken" policy, then it is used to specify which scopes the policy should enforce. In this type of policy, the value must be a "hard coded" scope name -- you can't use variables. For example:"

<Scope>A B</Scope>

This is extremely unfortunate because we use shared flows for verifying access tokens across multiple proxies. If we could use a variable in the Scope property, which by the way is supported on GenerateAccessToken operatoins, then you could specify the scope in a shared flow callout property and then reference the property/variable in the OAuthV2 policy on the shared flow.

Are there any plans to support variables in the VerifyAccessToken policy or a way to work around this unfortunate limitation?

Report Inappropriate Content

That is the limitation I see. I would suggest, if you are using shared flow, you can add another policy specific to the proxy you want in the shared flow.

Anthony_Coelho

That suggestion defeats the purpose of using shared flows to begin with. If there was a way to do this in the shared flow without having to create separate "hard coded" VerifyAccessToken policies, then that would be acceptable. VerifyAccessToken really needs to support variables.

Report Inappropriate Content

Yes, I agree with that. But if you know in future similar configuration will be used in other proxies, then you can add that in shared-flow. Personally I don't prefer to have proxy specific code in shared flow. I just brought it to picture to inform that is also possible.