Solved: Apigee can't verify my external access_token - Page 2

Report Inappropriate Content · 08-22-2018 06:08 AM

Hi,

I've a client that consumes an API with a STS between them for security.

Now I added apigee between the client and the API. The API proxy of my API doesn't have any polices added to its flow and it still works as intended.

I tried to add a security layer to apigee by adding "VerifyAccessToken" https://docs.apigee.com/api-platform/security/oauth/using-access-tokens .

The configuration of the policy looks like this:

	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyAccessToken">
    <DisplayName>VerifyAccessToken</DisplayName>
    <FaultRules/>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>true</ExternalAuthorization>
    <Operation>VerifyAccessToken</Operation>
    <SupportedGrantTypes/>
    <GenerateResponse enabled="true"/>
    <Tokens/>
</OAuthV2>

But when trying to query my API through the proxy I get this error now:

{
    "fault": {
        "faultstring": "Invalid Access Token",
        "detail": {
            "errorcode": "keymanagement.service.invalid_access_token"
        }
    }
}

What am I missing?

sidd-harth

Hi Ben, the VerifyAccessToken policy is specifically used for verifying Apigee minted access tokens.

External tokens can be verified in Apigee in 2 ways, please check below doc

https://docs.apigee.com/api-platform/security/oauth/use-third-party-oauth-system

View solution in original post