I am trying to create an oauth2 endpoint in apigee that returns a token generated by a 3rd party IDP. I am following [1] to do this.
1. I created an oauth2 proxy with below policies attached to its request in flow.
1.1 Service callout to generate token from external IDP
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout continueOnError="false" enabled="true" name="SC-generate-token-from-asgardeo">
<DisplayName>SC-generate-token-from-IDP</DisplayName>
<Properties/>
<Request clearPayload="true" variable="myRequest">
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<Set>
<Verb>POST</Verb>
<FormParams>
<FormParam name="client_id">XXXXXXXXX</FormParam>
<FormParam name="client_secret">YYYYYYYYY</FormParam>
<FormParam name="grant_type">client_credentials</FormParam>
</FormParams>
</Set>
</Request>
<Response>calloutResponse</Response>
<HTTPTargetConnection>
<Properties/>
<URL>https://xxxxxxxx/token</URL>
</HTTPTargetConnection>
</ServiceCallout>
1.2 Extract Variables policy to extract the token from response
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables continueOnError="false" enabled="true" name="EV-extract-token">
<DisplayName>EV-extract-token</DisplayName>
<JSONPayload>
<Variable name="idp_token">
<JSONPath>$.access_token</JSONPath>
</Variable>
</JSONPayload>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<Source>calloutResponse</Source>
</ExtractVariables>
1.3 Assign Message policy to set oauth_external_authorization_status to true
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage continueOnError="false" enabled="true" name="AM-assign-message">
<DisplayName>AM-assign-message</DisplayName>
<AssignVariable>
<Name>oauth_external_authorization_status</Name>
<Value>true</Value>
<Ref/>
</AssignVariable>
</AssignMessage>
1.4 Oauthv2 policy to generate and store the token from third party IDP.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OAuthV2-oauth2">
<DisplayName>OAuthV2-oauth2</DisplayName>
<Attributes>
<Attribute name="access_token" ref="idp_token"/>
</Attributes>
<ExpiresIn>1800000</ExpiresIn>
<RefreshTokenExpiresIn>86400000</RefreshTokenExpiresIn>
<ExternalAuthorization>true</ExternalAuthorization>
<StoreToken>true</StoreToken>
<ExternalAccessToken>access_token</ExternalAccessToken>
<Operation>GenerateAccessToken</Operation>
<SupportedGrantTypes>
<GrantType>client_credentials</GrantType>
</SupportedGrantTypes>
<GenerateResponse enabled="true"/>
<Tokens/>
</OAuthV2>
When I call this oauth2 proxy I can get the access token generate from the IDP. Then I have created a mock api proxy and attached a OAuth2 verify access token policy to it.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OAuthV2-verify-token">
<DisplayName>OAuthV2-verify-token</DisplayName>
<Operation>VerifyAccessToken</Operation>
<AccessToken>{request.headers.Authorization}</AccessToken>
<GenerateResponse enabled="true"/>
<Tokens/>
</OAuthV2>
I am getting a 401 on invoking this mock API with the token I obtained from the above oauth2 proxy. Could you please help me to get this working ?
[1]. https://cloud.google.com/apigee/docs/api-platform/security/oauth/use-third-party-oauth-system
Solved! Go to Solution.
Hello @test1123 ,
I recommend referencing the access_token generated by the third party system directly in the ExternalAccessToken attribute. In your example, the variable would be idp_token.
Additionally, I'd recommend changing the name of your custom attribute (if needed) in case you want to add additionally information in the response. For example:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OAuthV2-oauth2">
<DisplayName>OAuthV2-oauth2</DisplayName>
<Attributes>
<Attribute name="my_custom_attribute" ref="idp_token"/>
</Attributes>
<ExpiresIn>1800000</ExpiresIn>
<RefreshTokenExpiresIn>86400000</RefreshTokenExpiresIn>
<ExternalAuthorization>true</ExternalAuthorization>
<StoreToken>true</StoreToken>
<ExternalAccessToken>idp_token</ExternalAccessToken>
<Operation>GenerateAccessToken</Operation>
<SupportedGrantTypes>
<GrantType>client_credentials</GrantType>
</SupportedGrantTypes>
<GenerateResponse enabled="true"/>
<Tokens/>
</OAuthV2>
You can also find a working example in this link.
Thank you!
Hello @test1123 ,
I recommend referencing the access_token generated by the third party system directly in the ExternalAccessToken attribute. In your example, the variable would be idp_token.
Additionally, I'd recommend changing the name of your custom attribute (if needed) in case you want to add additionally information in the response. For example:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OAuthV2-oauth2">
<DisplayName>OAuthV2-oauth2</DisplayName>
<Attributes>
<Attribute name="my_custom_attribute" ref="idp_token"/>
</Attributes>
<ExpiresIn>1800000</ExpiresIn>
<RefreshTokenExpiresIn>86400000</RefreshTokenExpiresIn>
<ExternalAuthorization>true</ExternalAuthorization>
<StoreToken>true</StoreToken>
<ExternalAccessToken>idp_token</ExternalAccessToken>
<Operation>GenerateAccessToken</Operation>
<SupportedGrantTypes>
<GrantType>client_credentials</GrantType>
</SupportedGrantTypes>
<GenerateResponse enabled="true"/>
<Tokens/>
</OAuthV2>
You can also find a working example in this link.
Thank you!
Thanks a lot. That worked.
Hi @test1123, we’re so glad to hear that @jadelgado's reply worked for you! If you have a moment, we’d really appreciate it if you could mark their reply as the accepted solution. This helps other community members easily find the right answer for similar issues.
Thanks for engaging with the community! Be sure to check out our latest articles and upcoming events – we’d love to keep you involved