Solved: OAuth 2.0 policy is not verifying the access token... - Page 2

khanmohsin3011- · 10-16-2017 02:55 AM

https://community.apigee.com/questions/3138/cors-policy-in-my-api-proxy-when-using-oauth-20.html

As I came across Above thread can someone please help me to solve the issue I am facing right now, if the apigee API is call from web this generates the CROS issue which is handled in Proxy as told by @Barahalikar Siddharth

My requirement is that I need to pass the Token in from of Header not on query parameter which apigee is accepting right now. If I pass through the access_token in Header its fails and gives 500 server error.

Since the browser generates the CROS issue and OptionPreFlight request doesn't validate this API request. And If I pass the same access_token in query parameter then this gives me success 200OK. @Dino @Anil Sagar @kbouwmeester @Maruti Chand @Zhongli Wu @JennyB can you guide me to solve this problem would be really helpful.

naseerm

Hi Mohsin,

Seems like when the preflight OPTIONS HTTP verb call is invoked by the trusted agent, the OAuthV2 policy is being invoked on Apigee. That shows that the conditional to CORS policy is not in effect.

In other words OAuthV2 policy should not be invoked for OPTIONS (preflight) calls. This can be done with a conditional like this:

<Condition>request.verb == "OPTIONS" AND request.header.origin != null AND request.header.origin != null AND request.header.Access-Control-Request-Method != null</Condition>

Refer the https://docs.apigee.com/api-services/content/adding-cors-support-api-proxy for more details:

Hope that solves it.

Thanks

Naseer

View solution in original post

OAuth 2.0 policy is not verifying the access token when CORS issue occur from the browser to access the apigee api