This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Apigee X Create custom OAuthV2 access_token

Posted on 05-06-2024 03:36 AM
donutquan
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am relatively new to Apigee and want to use the "apigee.access_token" generated by Apigee and append it to one of my existing variables called "tokenPayLoad". After that, I want to use this newly formed access_token for future calls to my API.

I have tried using SetOAuthV2Info policy but it still does not work as subsequent calls requiring access_token still check with the originally generated access_token.

 

 

<ProxyEndpoint name="token">
...
<Flow name="token">
    <Request>
       <Step>
          <Name>Token-BuildRequest</Name>
       </Step>
    </Request>
    <Response>
       <Step>
          <Name>GenerateAccessToken</Name>
       </Step>
       <Step>
          <Name>Token-BuildResponse</Name>
       </Step>
       <Step>
          <Name>AM-TokenResponse</Name>
       </Step>
    </Response>
</Flow>
...
<ProxyEndpoint name="verification">
...
<Flow name="verify">
    <Request>
        <Step>
            <Name>OAuthv2Verify</Name>
        </Step>
        <Step>
            <Name>RF-InvalidToken</Name>
            <Condition>error.status.code = "401"</Condition>
        </Step>
    </Request>
</Flow>

 

GenerateAccessToken

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateAccessToken">
    <DisplayName>GenerateAccessToken</DisplayName>
    <Operation>GenerateAccessToken</Operation>
    <ExpiresIn>900000</ExpiresIn>
    <Algorithm>RS512</Algorithm>
    <GenerateResponse enabled="true"/>
    <Scope>scope</Scope>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GrantType>grant_type</GrantType>
    <TokenType>Bearer</TokenType>
    <TokenLength>6000</TokenLength>
    </Attributes>
</OAuthV2>

 

TokenBuildResponse.js

 

var tokenPayLoad = JSON.parse(context.getVariable('tokenResponsePayload'));
const accessToken = context.getVariable('apigee.access_token');
tokenPayLoad.access_token = tokenPayLoad.access_token + "." + accessToken
context.setVariable('response.content', JSON.stringify(tokenPayLoad));

 

OAuth2Verify

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuthv2Verify">
    <DisplayName>OAuthv2Verify</DisplayName>
    <Operation>VerifyAccessToken</Operation>
    <Scope>TestApp</Scope>
    <SupportedGrantTypes/>
    <GenerateResponse enabled="true"/>
    <Tokens/>
</OAuthV2>

 

 

Solved Solved
2 4 308
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to donutquan
Reply posted on --/--/---- --:-- AM

i wouldn't do it that way.  If you have a token from some other gateway, and you want to be able to access it from within Apigee, one good way to do that would be to attach that external piece of data as a "custom attribute" to a token that Apigee generates. In Apigee, custom attributes are metadata that you can associate to a variety of entities - like Apps, developers, products, or tokens.  Each attribute is a name/value pair. 

For custom attrs on tokens, you can set them at the time of issuance - within OAuthV2/GenerateAccessToken , using the Attributes element.  Or, you can append custom attributes to tokens, AFTER they have been issued, with the SetOAuthV2Info policy. 

In either case, the client app has the Apigee-issued token. When it presents the Apigee-issued token in a request-for-service, the Apigee proxy can verify the token, and that will implicitly load into message context, the values of the custom attribute.  In this case, the external token .

Doing it this way means you don't resort to "concatenating tokens" or some other "manual" token wrangling approach. 

Would that solve your case? 

What does Apigee DO with the token from Gateway X? 

I am imagining this. kind of flow:  a client connects to Gateway X and gets a token for Gateway X.  Then the same client connects with Apigee, and presents credentials for Apigee, along with the token for Gateway X.  Apigee issues a token, attaching the Gateway X token as an attribute. On subsequent request the client can send the Apigee-generated token into Apigee. Apigee can verify it.  Then implicitly retrieve the GaterwayX token, and then use that token to make calls to Gateway X, on behalf of the client. 

Is that kind of what's you're imagining? 

View solution in original post

Jump to Solution
4 REPLIES 4
Top Solution Authors
View all