Solved: How can i use External authorization token that wo... - Page 2

devmego99 · 05-15-2022 09:30 AM

I created proxy and and product and App
and added these below policies in conditional flow to make external authorization (from backend) using apigee oauth2 policy with client credential or password grant types

let me know how can generate token from apigee that can be send to backend and works ok (this point not clear with me because the generated token from apigee not same as token from backend)

2-

<BasicAuthentication name="BA-Encode-Credentials">
  <DisplayName>BA-Encode-Credentials</DisplayName>
  <Operation>Encode</Operation>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <User ref="request.header.username"/>
  <Password ref="request.header.password"/>
  <AssignTo createNew="false">request.header.Authorization</AssignTo>
</BasicAuthentication>

3-

<BasicAuthentication name="BA-Extract-User-Password">
  <DisplayName>BA-Extract-User-Password</DisplayName>
  <Operation>Decode</Operation>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <!-- <User ref="request.header.username"/> -->
  <User ref="request.header.username"/>
  <!-- <Password ref="request.header.password"/> -->
  <Password ref="request.header.password"/>
  <Source>request.header.Authorization</Source>
</BasicAuthentication>

4-

<AssignMessage name="Assign-Message-Set-Variables">
  <DisplayName>Assign Message 1</DisplayName>
  <FaultRules/>
  <Properties/>
  <AssignVariable>
    <Name>oauth_external_authorization_status</Name>
    <Value>true</Value>
  </AssignVariable>
  <AssignVariable>
    <Name>token</Name>
    <Value>token from service callout</Value>
  </AssignVariable>
  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
  <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

5-

<OAuthV2 name="OAuth-v20-Store-External-Token">
  <DisplayName>OAuth v2.0 1</DisplayName>
  <FaultRules/>
  <Properties/>
  <Attributes/>
  <ExternalAuthorization>true</ExternalAuthorization>
  <Operation>GenerateAccessToken</Operation>
  <SupportedGrantTypes>
    <!-- Optional -->
    <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>
  <ClientId>request.header.username</ClientId>
  <GenerateResponse enabled="true"/>
  <ExternalAccessToken>token</ExternalAccessToken>
  <StoreToken>true</StoreToken>
  <Tokens/>
</OAuthV2>

and the response is

{

"ErrorCode": "invalid_client",

"Error": "Client identifier is required"

}

appreciate your response

@dchiesa1

dchiesa1

Hi, thanks for the question.

The first policy configuration you showed, for the ExtractVariables policy, is a no-op. It doesn't do anything. You need to specify one of these child elements in the configuration to tell the ExtractVariables policy to extract from SOMETHING: URIPath, QueryParam, Header, FormParam, Variable, JSONPayload, XMLPayload . See the ExtractVariables policy documentation for more details.

There are a bunch of other things you are doing there, and I won't comment on everything.

But

If the invalid_client error is being generated by the OAuthV2 policy, then...I would think that request.header.username is not loaded with a valid client id, known by Apigee.

You can configure the OAuthV2 policy, with GenerateAccessToken, to ingest an externally-generated access token. That access token must be unique, and it must be associated to a valid client ID. Your configuration is saying "use the client id at request.header.username". IF that header does not include a client ID, then the OAuthV2 policy will fail and generate the error you're seeing.

This documentation page includes more details.

View solution in original post

How can i use External authorization token that works with backend successfully?