Solved: Re: OAuthV2 storing External Access and Refresh to...

chrisyanez · 07-20-2022 02:06 PM

I am working on using the OAuthV2 policy to store both our external access token and external refresh token. I have a /token endpoint which I call with authorization_code grant_type to an external service that handles the auth code exchange and returns an access token and refresh token. Currently, I am handling the storing of the access token in the response flow of our /token endpoint flow after I have returned from the backend service. Before the OAuthV2 policy, I am setting the grant_type to 'client_credentials' and providing the client_id.

After some research it seems that Apigee does not support storing refresh token for this grant_type so I have decided to switch to 'authorization_code' grant_type since the request flow is already handling the authorization_code exchange.

I am setting the oauth_external_authorization_status variable to true before the OAuthV2 policy.
I am trying to store the access/refresh tokens like below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-StoreExternalTokens">
    <DisplayName>OAuth-StoreExternalTokens</DisplayName>
    <Properties/>
    <ExternalAccessToken>access_token_flow_variable</ExternalAccessToken>
    <ExternalRefreshToken>refresh_token_flow_variable</ExternalRefreshToken>
    <ExternalAuthorization>true</ExternalAuthorization>
    <Operation>GenerateAccessToken</Operation>
    <GenerateResponse enabled="true"/>
    <ReuseRefreshToken>false</ReuseRefreshToken>
    <StoreToken>true</StoreToken>
    <!--default Expiry value in milliseconds-->
    <ExpiresIn ref="expires_in_flow_variable">3600000</ExpiresIn>
    <ClientId>apigee.client_id</ClientId>
    <SupportedGrantTypes>
        <GrantType>authorization_code</GrantType>
    </SupportedGrantTypes>
    <Tokens/>
</OAuthV2>

This fails with an error "{"Error":"ClientId is Invalid","ErrorCode":"invalid_client"}" even though the clientID is the one expected.

I am also trying to immediately revoke the refresh token after the above policy in the response flow in order to test that it is being stored:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-InvalidateRefreshToken">
    <DisplayName>OAuth-InvalidateRefreshToken</DisplayName>
    <Operation>InvalidateToken</Operation>
    <Tokens>
        <Token type="refreshtoken" cascade="true">refresh_token_flow_variable</Token>
    </Tokens>
</OAuthV2>

This is resulting in the error "keymanagement.service.invalid_refresh_token" which makes me believe that the refresh token is not being stored correctly.

Is there an issue with the policies that are causing these errors?

dchiesa1

Try setting the client_id into a formparam and specifying request.formparam.client_id as the ClientId in the policy. ? I read in the documentation that "request.formparam.client_id is the only valid value for the ClientId element". I don't know why that would be so. But anyway, try it.

View solution in original post

dchiesa1

Try setting the client_id into a formparam and specifying request.formparam.client_id as the ClientId in the policy. ? I read in the documentation that "request.formparam.client_id is the only valid value for the ClientId element". I don't know why that would be so. But anyway, try it.

chrisyanez

wow this fixed my issue! Thank you for your help.

This is a rather interesting restriction on where to grab the clientID.

dchiesa1

whoo-hoo
Glad it helped. I agree this is an odd, unexpected restriction. And if it WERE a restriction, it should be flagged as an error, shouldn't it? Anyway I'm glad it's working for you.

OAuthV2 storing External Access and Refresh tokens for authorization_code grant_type