This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
This site is in read only until July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Custom Attributes when Display=False - VerifyToken does not pick them up

Posted on 03-28-2018 12:55 AM
pradeepshanmugh
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi there,

I am using the Authorization Code flow.

Endpoints

  • authorize - redirects to my login page
    • (Verify Key + 302 redirect via Raise Fault)
  • code - my login page calls this to create an auth code against a set of claims (Attributes)
    • Apigee generates an Authorisation Code and 302's to the redirect_uri with the AuthCode
      • oAuthV2Policy - GenerateAuthorizationCode Operation
  • token - the third party calls this with the AuthCode and gets tokens
    • oAuthV2 policy - GenerateAccessTokens Operation

Everything works fine, till I want to hide my claims (Custom Attributes) in the Token Response.

I am using 

 <OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-1">
    <DisplayName>GenerateToken</DisplayName>
    <Operation>GenerateAccessToken</Operation>
<Attributes>
<Attribute name="myClaim1" display="false"/>
....
</Attributes>
...
<GenerateResponse enabled="true"/>
    <Tokens/>
</OAuthV2>

The result in Postman is that my custom attributes are indeed hidden as I get my Access Tokens

However when I try to consume a resource - the VerifyAccessToken policy - verifies the token - but my custom attributes are unavailable!

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="verify-oauth-v2-access-token">
    <DisplayName>Verify OAuth v2.0 Access Token</DisplayName>
    <Operation>VerifyAccessToken</Operation>
</OAuthV2>


I then try to read my claims out in the Pre Flow of the Target Endpoint

 var myClaim1 = context.getVariable("accesstoken.myClaim1");

Nothing is returned.

If I stop hiding my claims (or custom attributes) then it works fine and I am able to see my claim as a variable of the accessToken in the PreFlow of the Target Endpoint

Wondering if someone is able to assist in either replicating the issue / directing me where I am going wrong.

P.S:

The above approach of

  • embedding claims as attributes
  • hiding them on token generation / refresh
  • and reading them on Target Endpoint Preflow

; was working with a Password Flow but is not with the Authorization Flow. The difference being that the custom attributes were being embedded and set to display false previously with the GenerateAccessTokens Operation.

0 5 369
Topic Labels
0 Likes
Reply
5 REPLIES 5
Top Solution Authors
View all