Announcements
This site is in read only until July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.

Configuring a third party access token with apigee

I am trying to create an oauth2 endpoint in apigee that returns a token generated by a 3rd party IDP. I am following [1] to do this.

1. I created an oauth2 proxy with below policies attached to its request in flow.

1.1 Service callout to generate token from external IDP

 

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout continueOnError="false" enabled="true" name="SC-generate-token-from-asgardeo">
  <DisplayName>SC-generate-token-from-IDP</DisplayName>
  <Properties/>
  <Request clearPayload="true" variable="myRequest">
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <Set>
      <Verb>POST</Verb>
      <FormParams>
        <FormParam name="client_id">XXXXXXXXX</FormParam>
        <FormParam name="client_secret">YYYYYYYYY</FormParam>
        <FormParam name="grant_type">client_credentials</FormParam>
      </FormParams>
    </Set>
  </Request>
  <Response>calloutResponse</Response>
  <HTTPTargetConnection>
    <Properties/>
    <URL>https://xxxxxxxx/token</URL>
  </HTTPTargetConnection>
</ServiceCallout>​

 

 

 1.2 Extract Variables policy to extract the token from response

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables continueOnError="false" enabled="true" name="EV-extract-token">
  <DisplayName>EV-extract-token</DisplayName>
  <JSONPayload>
    <Variable name="idp_token">
      <JSONPath>$.access_token</JSONPath>
    </Variable>
  </JSONPayload>
  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
  <Source>calloutResponse</Source>
</ExtractVariables>

 

 

1.3 Assign Message policy to set oauth_external_authorization_status to true

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage continueOnError="false" enabled="true" name="AM-assign-message">
  <DisplayName>AM-assign-message</DisplayName>
  <AssignVariable>
    <Name>oauth_external_authorization_status</Name>
    <Value>true</Value>
    <Ref/>
  </AssignVariable>
</AssignMessage>

 

 

1.4 Oauthv2 policy to generate and store the token from third party IDP.

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OAuthV2-oauth2">
  <DisplayName>OAuthV2-oauth2</DisplayName>
  <Attributes>
    <Attribute name="access_token" ref="idp_token"/>
  </Attributes>
  <ExpiresIn>1800000</ExpiresIn>
  <RefreshTokenExpiresIn>86400000</RefreshTokenExpiresIn>
  <ExternalAuthorization>true</ExternalAuthorization>
  <StoreToken>true</StoreToken>
  <ExternalAccessToken>access_token</ExternalAccessToken>
  <Operation>GenerateAccessToken</Operation>
  <SupportedGrantTypes>
    <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>
  <GenerateResponse enabled="true"/>
  <Tokens/>
</OAuthV2>

 

 

When I call this oauth2 proxy I can get the access token generate from the IDP. Then I have created a mock api proxy and attached a OAuth2 verify access token policy to it. 

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OAuthV2-verify-token">
  <DisplayName>OAuthV2-verify-token</DisplayName>
  <Operation>VerifyAccessToken</Operation>
  <AccessToken>{request.headers.Authorization}</AccessToken>
  <GenerateResponse enabled="true"/>
  <Tokens/>
</OAuthV2>

 

 

I am getting a 401 on invoking this mock API with the token I obtained from the above oauth2 proxy. Could you please help me to get this working ?

[1]. https://cloud.google.com/apigee/docs/api-platform/security/oauth/use-third-party-oauth-system

Solved Solved
0 3 292
1 ACCEPTED SOLUTION

Hello @test1123 , 

I recommend referencing the access_token generated by the third party system directly in the ExternalAccessToken attribute. In your example, the variable would be idp_token

Additionally, I'd recommend changing the name of your custom attribute (if needed) in case you want to add additionally information in the response. For example:

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OAuthV2-oauth2">
    <DisplayName>OAuthV2-oauth2</DisplayName>
    <Attributes>
        <Attribute name="my_custom_attribute" ref="idp_token"/>
    </Attributes>
    <ExpiresIn>1800000</ExpiresIn>
    <RefreshTokenExpiresIn>86400000</RefreshTokenExpiresIn>
    <ExternalAuthorization>true</ExternalAuthorization>
    <StoreToken>true</StoreToken>
    <ExternalAccessToken>idp_token</ExternalAccessToken>
    <Operation>GenerateAccessToken</Operation>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GenerateResponse enabled="true"/>
    <Tokens/>
</OAuthV2>


You can also find a working example in this link.

Thank you!

View solution in original post

3 REPLIES 3

Hello @test1123 , 

I recommend referencing the access_token generated by the third party system directly in the ExternalAccessToken attribute. In your example, the variable would be idp_token

Additionally, I'd recommend changing the name of your custom attribute (if needed) in case you want to add additionally information in the response. For example:

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OAuthV2-oauth2">
    <DisplayName>OAuthV2-oauth2</DisplayName>
    <Attributes>
        <Attribute name="my_custom_attribute" ref="idp_token"/>
    </Attributes>
    <ExpiresIn>1800000</ExpiresIn>
    <RefreshTokenExpiresIn>86400000</RefreshTokenExpiresIn>
    <ExternalAuthorization>true</ExternalAuthorization>
    <StoreToken>true</StoreToken>
    <ExternalAccessToken>idp_token</ExternalAccessToken>
    <Operation>GenerateAccessToken</Operation>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GenerateResponse enabled="true"/>
    <Tokens/>
</OAuthV2>


You can also find a working example in this link.

Thank you!

Thanks a lot. That worked. 

Hi @test1123, we’re so glad to hear that @jadelgado's reply worked for you! If you have a moment, we’d really appreciate it if you could mark their reply as the accepted solution. This helps other community members easily find the right answer for similar issues.

Thanks for engaging with the community! Be sure to check out our latest articles and upcoming events – we’d love to keep you involved