This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee OAuth 2.0 client credentials grant type often return 500

Posted on 01-12-2022 11:33 PM
abulhsn63
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We are using OAuth 2.0 for authentication purposes, we have a proxy and we have OAuth2.0 Policy,we are passing query parameter grant_type as client_credentials, and we tried supplying client_id and client_secret in form body, also we tried by passing encoded cient_id and client-secret in Authorization header, we do get 200 OK response and token details at times and 500 error often. We are hitting the proxy several times to retrieve token. We are getting below exceptions. Is there any restriction for requesting token ? (we tried postman, jquery-ajax, cURL command  and using console Application also, but issue is same  )kindly provide an insight on this

 

abulhsn63_1-1642059117739.png

we tried supplying client_id as username and client_secert as password in form body, still no luck

 

0 3 562
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Can you show your OAuthV2 policy configuration?

This one works for me, when using client_credentials grant type.

 

<OAuthV2 name='OAuthV2-GenerateAccessToken-CC'>
  <Operation>GenerateAccessToken</Operation>
  <!--
      ExpiresIn, in milliseconds. The ref is optional. The explicitly specified
      value is the default, when the variable reference cannot be resolved.
      1800000 = 30 minutes
      2400000 = 40 minutes
      3600000 = 60 minutes
  -->
  <ExpiresIn ref='flow.variable'>1800000</ExpiresIn>

  <!--
      RefreshTokenExpiresIn, in milliseconds. Optional; if it is not
      specified, the default value will be used which is -1 (no expiration).
      691200000 = 8 days
      2592000000 = 30 days
  -->
  <RefreshTokenExpiresIn>691200000</RefreshTokenExpiresIn>

  <SupportedGrantTypes>
    <!--
        for client_credentials, the client_id and client_secret must be
        passed in , in the Basic Auth header, as per the
        specification.
    -->

    <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>

  <!-- variable that specifies the requested grant type -->
  <GrantType>request.formparam.grant_type</GrantType>

  <Attributes>
    <Attribute name='grant_type'
               ref='request.formparam.grant_type'
               display='true'>UNDEFINED</Attribute>
  </Attributes>

  <GenerateResponse enabled='true'/>
  <!--

      If you include GenerateResponse and have enabled='true', then
      the response is sent directly to the caller. The payload looks like
      this:

      {
        "issued_at": "1420262924658",
        "scope": "READ",
        "application_name": "ce1e94a2-9c3e-42fa-a2c6-1ee01815476b",
        "status": "approved",
        "api_product_list": "[PremiumWeatherAPI]",
        "expires_in": "1799",
        "developer.email": "tesla@weathersample.com",
        "organization_id": "0",
        "token_type": "BearerToken",
        "client_id": "5jUAdGv9pBouF0wOH5keAVI35GBtx3dT",
        "access_token": "2l4IQtZXbn5WBJdL6EF7uenOWRsi",
        "organization_name": "docs",
        "refresh_token_expires_in": "0",
        "refresh_count": "0"
      }

      If you omit GenerateResponse or have enabled='false', then
      these flow variables are set on success:

      oauthv2accesstoken.OAuthV2-GenerateAccessToken-CC.access_token
      oauthv2accesstoken.OAuthV2-GenerateAccessToken-CC.token_type
      oauthv2accesstoken.OAuthV2-GenerateAccessToken-CC.expires_in
      oauthv2accesstoken.OAuthV2-GenerateAccessToken-CC.refresh_token
      oauthv2accesstoken.OAuthV2-GenerateAccessToken-CC.refresh_token_expires_in
      oauthv2accesstoken.OAuthV2-GenerateAccessToken-CC.refresh_token_issued_at
      oauthv2accesstoken.OAuthV2-GenerateAccessToken-CC.refresh_token_status
  -->

</OAuthV2>

 

Something in your policy configuration is referencing request.formparam.username, either implicitly or explicitly.

You can find a full working example of a proxy that dispenses OAuth2.0 tokens via client_credentials grant type, here: https://github.com/DinoChiesa/devjam3-20170405/tree/master/Resources/oauth2-cc

0 Likes

Posted on --/--/---- --:-- AM
abulhsn63
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

we do get 200 OK response and token details at times ,but we are getting 500 error often .our policy looks similar to what you have ,below is the screenshot of our policy 

abulhsn63_0-1642586601724.png

can you please help us to clear this issue 

 

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to abulhsn63
Reply posted on --/--/---- --:-- AM

ok that looks pretty simple. Client credentials is the simplest kind of OAuth grant there is. 

Looking again at the error code you showed in the first message, it appears that it is being thrown by the BasicAuthentication policy, not the OAuth policy.  And the error in particular is "failed to resolve variable."  Is it possible that the API proxy is receiving requests that do not have the referenced formparam set?  That would lead to the error you are seeing. 

Maybe introduce a <Condition> element wrapping a RaiseFault before the BasicAuthentication policy, which returns a specific error in the case the required formparam is not being set. 

that might help.

 

0 Likes