This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
This site is in read only until July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Configuring a third party access token with apigee

Posted on 12-17-2024 12:10 AM
test1123
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I am trying to create an oauth2 endpoint in apigee that returns a token generated by a 3rd party IDP. I am following [1] to do this.

1. I created an oauth2 proxy with below policies attached to its request in flow.

1.1 Service callout to generate token from external IDP

 

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout continueOnError="false" enabled="true" name="SC-generate-token-from-asgardeo">
  <DisplayName>SC-generate-token-from-IDP</DisplayName>
  <Properties/>
  <Request clearPayload="true" variable="myRequest">
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <Set>
      <Verb>POST</Verb>
      <FormParams>
        <FormParam name="client_id">XXXXXXXXX</FormParam>
        <FormParam name="client_secret">YYYYYYYYY</FormParam>
        <FormParam name="grant_type">client_credentials</FormParam>
      </FormParams>
    </Set>
  </Request>
  <Response>calloutResponse</Response>
  <HTTPTargetConnection>
    <Properties/>
    <URL>https://xxxxxxxx/token</URL>
  </HTTPTargetConnection>
</ServiceCallout>​

 

 

 1.2 Extract Variables policy to extract the token from response

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables continueOnError="false" enabled="true" name="EV-extract-token">
  <DisplayName>EV-extract-token</DisplayName>
  <JSONPayload>
    <Variable name="idp_token">
      <JSONPath>$.access_token</JSONPath>
    </Variable>
  </JSONPayload>
  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
  <Source>calloutResponse</Source>
</ExtractVariables>

 

 

1.3 Assign Message policy to set oauth_external_authorization_status to true

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage continueOnError="false" enabled="true" name="AM-assign-message">
  <DisplayName>AM-assign-message</DisplayName>
  <AssignVariable>
    <Name>oauth_external_authorization_status</Name>
    <Value>true</Value>
    <Ref/>
  </AssignVariable>
</AssignMessage>

 

 

1.4 Oauthv2 policy to generate and store the token from third party IDP.

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OAuthV2-oauth2">
  <DisplayName>OAuthV2-oauth2</DisplayName>
  <Attributes>
    <Attribute name="access_token" ref="idp_token"/>
  </Attributes>
  <ExpiresIn>1800000</ExpiresIn>
  <RefreshTokenExpiresIn>86400000</RefreshTokenExpiresIn>
  <ExternalAuthorization>true</ExternalAuthorization>
  <StoreToken>true</StoreToken>
  <ExternalAccessToken>access_token</ExternalAccessToken>
  <Operation>GenerateAccessToken</Operation>
  <SupportedGrantTypes>
    <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>
  <GenerateResponse enabled="true"/>
  <Tokens/>
</OAuthV2>

 

 

When I call this oauth2 proxy I can get the access token generate from the IDP. Then I have created a mock api proxy and attached a OAuth2 verify access token policy to it. 

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OAuthV2-verify-token">
  <DisplayName>OAuthV2-verify-token</DisplayName>
  <Operation>VerifyAccessToken</Operation>
  <AccessToken>{request.headers.Authorization}</AccessToken>
  <GenerateResponse enabled="true"/>
  <Tokens/>
</OAuthV2>

 

 

I am getting a 401 on invoking this mock API with the token I obtained from the above oauth2 proxy. Could you please help me to get this working ?

[1]. https://cloud.google.com/apigee/docs/api-platform/security/oauth/use-third-party-oauth-system

Solved Solved
0 3 293
Topic Labels
Jump to Solution
0 Likes
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jadelgado
Staff
Reply posted on --/--/---- --:-- AM

Hello @test1123 , 

I recommend referencing the access_token generated by the third party system directly in the ExternalAccessToken attribute. In your example, the variable would be idp_token

Additionally, I'd recommend changing the name of your custom attribute (if needed) in case you want to add additionally information in the response. For example:

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OAuthV2-oauth2">
    <DisplayName>OAuthV2-oauth2</DisplayName>
    <Attributes>
        <Attribute name="my_custom_attribute" ref="idp_token"/>
    </Attributes>
    <ExpiresIn>1800000</ExpiresIn>
    <RefreshTokenExpiresIn>86400000</RefreshTokenExpiresIn>
    <ExternalAuthorization>true</ExternalAuthorization>
    <StoreToken>true</StoreToken>
    <ExternalAccessToken>idp_token</ExternalAccessToken>
    <Operation>GenerateAccessToken</Operation>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GenerateResponse enabled="true"/>
    <Tokens/>
</OAuthV2>


You can also find a working example in this link.

Thank you!

View solution in original post

Jump to Solution
0 Likes
Reply
3 REPLIES 3
Top Solution Authors
View all