This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Can you validate client key and secret without generating a token?

Posted on 03-02-2016 07:30 AM
dave_pickard
New Member
Reply posted on --/--/---- --:-- AM

The scenario as an OAuth2 password grant. We want to validate the client key & secret and assuming that is correct then validate the resource owner user id and password.

Looking through documentation I can't see a way to validate key & secret without generating a token - which would then have to be revoked if resource owner authentication failed.

Solved Solved
3 18 8,003
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
adas
New Member
Reply posted on --/--/---- --:-- AM

@Dave Pickard while I am still trying to understand the usecase, I believe this is still doable. You can use the verifyapikey policy to validate the client id, the policy also populates the flow variables for client secret, app, developer etc. You can write a separate javascript to compare the client secret sent in the request to the one generated in the flow variable and raise fault if they dont match. Will that work for you ?

View solution in original post

Jump to Solution
18 REPLIES 18
Top Solution Authors
View all