This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Client Identifier with OAuth External Authorization

Posted on 11-02-2015 10:23 AM
Not applicable
Reply posted on --/--/---- --:-- AM

I have the following OAuthv2.0 Generate Token Policy (which is attached to the response of the proxy endpoint flow because I get a JWT back from the target endpoint, I then validate&verify the JWT and i'm trying to now store it in an apigee token):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuthGenerateToken">
    <DisplayName>OAuth.GenerateToken</DisplayName>
    <Attributes/>
    <ClientId>response.header.client_id</ClientId>
    <ExternalAccessToken>oauth.access_token</ExternalAccessToken>
    <ExternalAuthorization>true</ExternalAuthorization>
    <Operation>GenerateAccessToken</Operation>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GrantType>client_credentials</GrantType>
    <GenerateResponse enabled="true">
        <Format>FORM_PARAM</Format>
    </GenerateResponse>
    <ReuseRefreshToken>false</ReuseRefreshToken>
    <StoreToken>true</StoreToken>
    <Tokens/>
</OAuthV2>

What I can't figure out is why this policy still generates this error:

{"ErrorCode":"invalid_client","Error":"Client identifier is required"}

In this case

response.header.client_id

is populated to a valid value (it shows up as being read in the trace), but it seems that policy isn't using the ClientId element to make the check that is associated with the error (I've tried with various other flow variables as well, none seem to work).

The only way I can get rid of the above error is to use this on the request flow and have the request be a x-www-form-urlencoded with a formparam named "client_id" (which has the same value that I have in "response.header.client_id now"). My understanding is that I can use the ClientId directive to override this default location, but so far I have been unsuccessful.

Any help is appreciated, Thanks!

Solved Solved
1 9 2,176
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

@GuyH,

As informed to you over email, you need to do the following.

  • Have the AssignMessage policy "SetFormParamClientID" in the request flow (and not in response flow) because you have the set the request.formparam.client_id
  • You need to set the Consumer key associated with the DeveloperApp (corresponding to the Product associated with your API Proxy) and not the username (email id) as the grant_type is set as "client_credentials" in OAuthv2.0 policy "StoreToken"
  • In addition, you also need to set the grant_type in the AssignMessage policy "SetFormParamClientID".

This should help you to resolve the problem.

Regards,

Amar

View solution in original post

Jump to Solution
0 Likes
9 REPLIES 9
Top Solution Authors
View all