This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

GetOAuthV2Info fails if token generated using product with resource paths

Posted on 06-12-2017 03:57 PM
Not applicable
Reply posted on --/--/---- --:-- AM

I have a proxy that provides 2 endpoints, one to generate access tokens using OAuthV2.GenerateAccessToken ("/accesstoken"), and the other to provide token attributes using GetOAuthV2Info.AccessToken ("/tokeninfo").

I also have 2 products, oauth-external and oauth-internal. oauth-external provides access to the proxy, but with the resource path set to "/accesstoken**", while oauth-internal provides access to the proxy, but without any resource path set. My understanding is that the resource path acts as a sort of restriction. So in this case, oauth-external will only allow calls to the "/accesstoken" endpoint.

I also have 2 applications, one that has access to oauth-external (ExternalApp), and the other to oauth-internal (InternalApp).

If I use ExternalApp to generate a token, I would expect InternalApp to be able to get the token attributes using the other endpoint. But I'm finding that GetOAuthV2Info.AccessToken will fail unless ExternalApp also has access to at least 1 product that has no resource path (restrictions) set. And it doesn't even have to be the other oauth product (oauth-internal). I can use a completely empty product that points to no proxies, as long as it doesn't have a resource path set. So in this case, I created a third product called empty-product with no proxies which I can add and remove to the ExternalApp.

One thing to note is that ExternalApp doesn't have to have access to empty-product at the time that the token is generated. Once the token is generated, adding empty-product to ExternalApp will allow InternalApp to get the token attributes as expected. Then removing empty-product from ExternalApp will cause the the failure to start occurring again. And so on.

I haven't tried splitting the two endpoints into separate proxies yet. If I do that, I'm assuming I can remove the resource path from oauth-external, but I'm wondering if the behavior I'm seeing is valid or not.

I am using the continueOnError attribute and <IgnoreAccessTokenStatus> element with the GetOAuthV2Info call.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <GetOAuthV2Info continueOnError="true" name="OAuthV2.GetTokenAttributes"> <AccessToken ref="request.formparam.token"/> <IgnoreAccessTokenStatus>true</IgnoreAccessTokenStatus> </GetOAuthV2Info>

In the request from InternalApp, I'm passing the client_id and client_secret in both the headers and the form parameters (I've tried just about every combination of this that I can think of).

curl -X POST \ http://myorg.apigee.net/myproxy/tokeninfo -H 'client_id: <api-key>' -H 'client_secret: <secret>' -H 'content-type: application/x-www-form-urlencoded' -d 'token=<token>&client_id=<api-key>&client_secret=<secret>'

0 10 2,338
Topic Labels
0 Likes
10 REPLIES 10
Top Solution Authors
View all