Gen CC token fails after ValidateKey succeeds

I have the following GenToken policy that fails just after the client_id being validated successfully by a ValidateKey step

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-genClientToken"> 
	<DisplayName>OAuth v2.0-genClientToken</DisplayName> 
	<GenerateResponse enabled="false"/> 

I am not clear what could even cause this to happen.

Any help/pointers would be greatly appreciated.

0 1 294

New Member

Hey @terrancedavid

If you could expand on what the error message is, it will be easier to trace the issue.

I would examine whether grant type is indeed being passed correctly.
GenerateAccessToken is fussy in this regard, insisting on obtaining the grant_type from a variable. You could insist the users pass this or use an AssignMessage policy to hardcode the parameter value.


However ....

Assuming the error you are getting is :

{"ErrorCode" : "invalid_client", "Error" :"Client identifier is required"}

then the reason is likely to be that you have not provided the Authorization header.

The policy does not reference the client ID from the <ClientId> tag.

It expects an Authorization header of 'Basic {base64Encoded clientID :clientSecret}'

Update: You can also POST client_id and client_secret as form parameters in the body, e.g.

I am including two polices that would allow you to generate this on behalf of the caller, but I must point out that in doing this you are bypassing the security provided when you require the user to pass both clientID and clientSecret.

1. verifyKey

<VerifyAPIKey async="false" continueOnError="false" enabled="true" name="tryVerifyAPIkey">
    <APIKey ref="request.queryparam.client_id"/>

2. Build a header using verifyKey details

<BasicAuthentication async="false" continueOnError="false" enabled="true" name="BABuildAuthHeader">
    <User ref="request.queryparam.client_id"/>
    <Password ref="verifyapikey.tryVerifyAPIkey.client_secret"/>
    <AssignTo createNew="false">request.header.Authorization</AssignTo>

3. Generate the token.

    <DisplayName>OAuth v2.0-genClientToken</DisplayName>

Hope this helps.