I am working on using the OAuthV2 policy to store both our external access token and external refresh token. I have a /token endpoint which I call with authorization_code grant_type to an external service that handles the auth code exchange and returns an access token and refresh token. Currently, I am handling the storing of the access token in the response flow of our /token endpoint flow after I have returned from the backend service. Before the OAuthV2 policy, I am setting the grant_type to 'client_credentials' and providing the client_id.
After some research it seems that Apigee does not support storing refresh token for this grant_type so I have decided to switch to 'authorization_code' grant_type since the request flow is already handling the authorization_code exchange.
I am setting the oauth_external_authorization_status variable to true before the OAuthV2 policy.
I am trying to store the access/refresh tokens like below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-StoreExternalTokens">
<DisplayName>OAuth-StoreExternalTokens</DisplayName>
<Properties/>
<ExternalAccessToken>access_token_flow_variable</ExternalAccessToken>
<ExternalRefreshToken>refresh_token_flow_variable</ExternalRefreshToken>
<ExternalAuthorization>true</ExternalAuthorization>
<Operation>GenerateAccessToken</Operation>
<GenerateResponse enabled="true"/>
<ReuseRefreshToken>false</ReuseRefreshToken>
<StoreToken>true</StoreToken>
<!--default Expiry value in milliseconds-->
<ExpiresIn ref="expires_in_flow_variable">3600000</ExpiresIn>
<ClientId>apigee.client_id</ClientId>
<SupportedGrantTypes>
<GrantType>authorization_code</GrantType>
</SupportedGrantTypes>
<Tokens/>
</OAuthV2>
This fails with an error "{"Error":"ClientId is Invalid","ErrorCode":"invalid_client"}" even though the clientID is the one expected.
I am also trying to immediately revoke the refresh token after the above policy in the response flow in order to test that it is being stored:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-InvalidateRefreshToken">
<DisplayName>OAuth-InvalidateRefreshToken</DisplayName>
<Operation>InvalidateToken</Operation>
<Tokens>
<Token type="refreshtoken" cascade="true">refresh_token_flow_variable</Token>
</Tokens>
</OAuthV2>
This is resulting in the error "keymanagement.service.invalid_refresh_token" which makes me believe that the refresh token is not being stored correctly.
Is there an issue with the policies that are causing these errors?
Solved! Go to Solution.
Try setting the client_id into a formparam and specifying request.formparam.client_id as the ClientId in the policy. ? I read in the documentation that "request.formparam.client_id is the only valid value for the ClientId element". I don't know why that would be so. But anyway, try it.
Try setting the client_id into a formparam and specifying request.formparam.client_id as the ClientId in the policy. ? I read in the documentation that "request.formparam.client_id is the only valid value for the ClientId element". I don't know why that would be so. But anyway, try it.
wow this fixed my issue! Thank you for your help.
This is a rather interesting restriction on where to grab the clientID.
whoo-hoo
Glad it helped. I agree this is an odd, unexpected restriction. And if it WERE a restriction, it should be flagged as an error, shouldn't it? Anyway I'm glad it's working for you.