This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Calling Google OAuth from Apigee X proxy (delegated authentication)

Posted on 09-06-2021 10:39 AM
ksleanoacc
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello all and @dchiesa1 ,
I am very new to apigee and I have been following this tutorial for delegated oauth authentication.

https://github.com/dzuluaga/apigee-tutorials/tree/master/apiproxies/musicapi-oauth-delegated-authent...
It uses the parameter ?external_access_token=123456 to the proxy to set the access token. 
My plan is using Google's Oauth to do the following:

1.  Call the https://accounts.google.com/o/oauth2/v2/auth to get the 'code' to exchange for a token.
2. Using the code from step 1, call https://www.googleapis.com/oauth2/v4/token with the code to get the real access token.
3. Extract the token and call the generatetoken endpoint with the parameter external_access_token={access token from google in step 2}

4. Call my OAuth protected proxy using the external access token from step 3

 

q1. Is this the correct way of using the Apigee and Google Oauth? I have seen a link about using extensions https://docs.apigee.com/api-platform/reference/extensions/google-authentication/google-authenticatio... but I am not seeing the connector callout policy anywhere. Is it the same as ServiceCallout? 

Here is my attempt to call google oauth

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 ServiceCallout async="false" continueOnError="false" enabled="true" name="Get-Access-Token">
<DisplayName>Get Access Token</DisplayName>
<Properties/>
<Request clearPayload="false" variable="myRequest">
<Set>
<Verb>POST</Verb>
<Headers>
<Header name="Content-Type">application/x-www-form-urlencoded</Header>
</Headers>
<FormParams>
<FormParam name="response_type">code</FormParam>
<FormParam name="client_id">...apps.googleusercontent.com</FormParam>
<FormParam name="scope">openid</FormParam>
<FormParam name="state">state_parameter_passthrough_value</FormParam>
<FormParam name="nonce">123456abcde}</FormParam>
<FormParam name="hd">company.com</FormParam>
<FormParam name="redirect_uri">https://www.googleapis.com/oauth2/v4/token</FormParam>
</FormParams>
</Set>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
</Request>
<Response>calloutResponse</Response>
<HTTPTargetConnection>
<Properties/>
<URL>https://accounts.google.com/o/oauth2/v2/auth</URL>
</HTTPTargetConnection>
</ServiceCallout>

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables continueOnError="false" enabled="true" name="Extract-Variables-1">
<DisplayName>Extract Variables-1</DisplayName>
<Properties/>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<JSONPayload>
<Variable name="expiresAt">
<JSONPath>$.code</JSONPath>
</Variable>
</JSONPayload>
<Source clearPayload="false">request</Source>
<VariablePrefix>apigee</VariablePrefix>
</ExtractVariables>

q2. Since I am planning to chain the auth and the token my redirect should be the token endpoint right? In apigee the policy flow should be service callout > extract variables > assign message (code) then do the same thing for token. Am I in the right track? Can someone please direct me to more examples of the extract variable/assign message policy? 

 

Thank you for your time!

Solved Solved
0 3 1,546
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Great. I'm glad this discussion helped.

Absolutely, you can use Google Identity as a way to act as a "temporary" or "provisional" Identity provider for your users.  The token you obtain from Google Identity will be very similar to the tokens you get from Okta. You will be able to retain almost the identical policies in your Apigee APIs;  The VerifyJWT policy will change of course; it will use the JWKS URL for the Okta tenant, rather than the JWKS URL for the Google oauth service.  I guess  Okta offers a bit more depth in their IdP product (though I am not an expert on this), but Google Identity will satisfy this prototyping need, at the very least.  

In terms of learning Apigee X, would you still recommend referring to the 4 Minute Videos 4 Developers Playlist or would you consider that as outdated?

As regards 4MV4D, the videos that discuss and describe the individual policies, are still very good and relevant. All of the policies in Apigee Edge (As covered in those videos) also exist in Apigee X. The same policies, the same options, the same behavior, the same runtime. There are only a few exceptions.  So I do not consider the existing videos to be outdated. 

At the same time, the team is working on re-creating the videos with the current Apigee X product. That's a big effort, stay tuned for that.

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3
Top Solution Authors
View all