This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Is it possible to generate an access token with only client id in password grant type?

Posted on 02-03-2016 03:09 PM
Not applicable
Reply posted on --/--/---- --:-- AM

Now in order to generate an access token using password grant type I am sending the base64 encoded client credentials in Authorization header along with username and password in the body. Instead of sending the client credentials in the Authorization header, Is it possible to send the client id only in the query parameter and generate an access token in password grant type?

Solved Solved
1 2 229
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
akoo
New Member
Reply posted on --/--/---- --:-- AM

Hi @bibin_kurian,

To answer your question, yes, it's possible. You could use verifyApiKey policy to load client_secret in Apigee Edge. Then you could reconstruct the Basic Auth header using the client_id/secret to generate a token in a subsequent policy.

That said, I do not recommend this. The client_id is a public key; the process you describe does not offer much security on top of API key validation on its own. You're removing the client_secret requirement which is critical for OAuth v2 resource owner password credentials grant type (per spec). Furthermore, query parameters and URL are often logged by systems (routers, LBs, etc.)-- better to use the header.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
anilsr
Staff
Reply posted on --/--/---- --:-- AM

@bibin_kurian ,

I am afraid you cannot, As per Apigee docs here, you need to send base64 encoded version of Authorization header which includes both client id & secret along with username/password.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
akoo
New Member
Reply posted on --/--/---- --:-- AM

Hi @bibin_kurian,

To answer your question, yes, it's possible. You could use verifyApiKey policy to load client_secret in Apigee Edge. Then you could reconstruct the Basic Auth header using the client_id/secret to generate a token in a subsequent policy.

That said, I do not recommend this. The client_id is a public key; the process you describe does not offer much security on top of API key validation on its own. You're removing the client_secret requirement which is critical for OAuth v2 resource owner password credentials grant type (per spec). Furthermore, query parameters and URL are often logged by systems (routers, LBs, etc.)-- better to use the header.

Jump to Solution