This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

OAuthV2 GenerateAuthorizationCode does not expire in the specified time

Posted on 10-21-2019 05:02 AM
masood
New Member
Reply posted on --/--/---- --:-- AM

I am able to generate Auth Code, but the problem is it does not expire in the specified time, which is mentioned in <ExpiresIn> tag.


Here is my OAuthV2 policy: 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="true" enabled="true" name="Generate-Authorization-Code">
    <DisplayName>Generate Authorization Code</DisplayName>
    <Operation>GenerateAuthorizationCode</Operation>
    <ClientId>clientId</ClientId>
    <RedirectUri>redirectUrl</RedirectUri>
    <ResponseType>code</ResponseType>
    <Scope>scope</Scope>
    <!--<GenerateResponse enabled="true"/>-->
    <ExpiresIn>10000</ExpiresIn>
</OAuthV2><br>
I expect the code generated to expire in 10 secs, but it does not. I have checked even after 10 mins, however, it was still not expired.

And here is how I was trying to access auth code info:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GetOAuthV2Info async="false" continueOnError="false" enabled="true" name="Get-Auth-Code-Info">
    <DisplayName>Get Auth Code Info</DisplayName>
    <AuthorizationCode ref="authCode"/>
</GetOAuthV2Info>

I have even checked the failed flag, which was sent to false.

Any help would be appreciated.

Solved Solved
1 6 314
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Hmm, I just tested this and here's what I found:

GenerateAccessToken is working for me as expected. If I set expiry on the code, then the generated code expires as expected, and OAuthV2/GenerateAccessToken using that code will fail appropriately.

I cannot imagine what might be happening with your organization / environment. If you have an Apigee support contract then I suggest you contact Apigee support to request diagnosis on this.

It could be that you are expecting GetOAuthV2Info to fail when inquiring an expired code. And that may not be a documented behavior.

The "expiry" of the code means it will not be redeemable for a token. After the expiry, The code might still be in the keystore, and queryable with GetOAuthV2Info,even though it would not be usable for obtaining a token via OAuthV2/GenerateAccessToken.

View solution in original post

Jump to Solution
6 REPLIES 6