Solved: OAuth External system authentication - Page 2

k_prathip · 10-16-2017 03:55 AM

I have a login service that takes username and password and calls an external system for authentication. On success authentication I call the OAuth generate access token to generate an access token and send it to the app. This access token is used for other services.

If 2 users from 2 different mobile apps login with their own userid and password and get their respective access_token.

The OAuth token is not tied up to the userId for which it is generated. User2 specific transactions can be triggered using access token generated for user1.

How to mitigate this issue and make sure the OAuth token is used only on transactions that are generated for that specific user.

kengilbert-1

Hey Prathip,

It sounds like you may be using the password grant workflow. Aside from verifying the API key/secret before authenticating with your external system, you may want to store an identifying piece of information, such as userid as a custom attribute in the Oauth token.

If your backend doesn't perform any sort of identification, then you could add that validation into Edge. The workflow would look something like this:

A token is generated and associated with a userid.
The client uses the token to make a request.
During the preflow, the token is validated and userid is extracted from the token.
When a user specific resource is accessed, perform a conditional check to ensure the userid retrieved from the token matches the resource being accessed.
- You could use something like a Raise Fault policy step with a condition inside the user specific resource to validate the request before proceeding.

For reference, here's some documentation around using the password grant workflow:

http://docs.apigee.com/api-services/content/implementing-password-grant-type

View solution in original post