Solved: OAuth Scope defined in OAuth Policy - Page 2

apininja · 04-28-2015 02:40 AM

I am working on an OAuth implementation where one scope is assigned to the access-token by the OAuth GenerateAccessToken policy. Therefore, I have added three scopes to the API product:

 AUTH1, AUTH2, AUTH3

I have added the following XML to the OAuth GenerateAccessToken policy, this should be one of the scopes from the API Product:

<Scope>AUTH2</Scope>

Now, my issue is that the generated access token response does contain all scopes as defined by the API Product:

"scope": "AUTH2 AUTH3 AUTH1"

I expected it to only contain the one Scope as described by the GenerateAccessToken OAuth policy.

Am I doing something wrong here?

hanselm

The OAuthV2 policy with Operation= GenerateAccessToken needs a variable name (typically: request.queryparam.scope) that the calling app supplies.

<OAuthV2 name="OAuth.GenerateAccessToken" enabled="true">
    <Operation>GenerateAccessToken</Operation>
    <GenerateResponse enabled="false"/>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <Scope>request.queryparam.scope</Scope>
</OAuthV2>

At runtime, Apigee Edge then

resolves the variable to a value. This is expected to be a space separated list of scopes.
generates an access token with a scope set that is the intersection of the supplied space-separated scope values and all scopes defined in ALL the apiProducts for which the calling app is registered.

I suspect you are calling the api without the requesting scope, in which case Edge generates the token with ALL scopes from the apiProducts that the app is registered.

View solution in original post