This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
This site is in read only until July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Refresh token with External client authentication

Posted on 04-09-2018 08:59 PM
Not applicable
Reply posted on --/--/---- --:-- AM

I am using <OAuthV2> policy with <ExternalAuthorization>true</ExternalAuthorization> with only <ExternalAuthorizationCode> configured with authorization code coming from external system.

It works good for generating access_token on grant_type authorization_code. However, I am not able to use <ExternalAuthorization>true</ExternalAuthorization> for RefreshAccessToken operation. It seems ExternalAuthorization is supported only for granttypes -

  • authorization_code
  • password
  • client_credentials

Is there are way to allow the same for refresh_token grant type as well?

Explaining my usecase a bit

Our client app is a mobile application which uses (in secured browser/webview) a external SAML SP to authenticate the user. Once Authenticated, it issues a Auth-code and redirects to an app registered URL scheme with the same. The mobile app then exchanges that access token issued by OAuthV2 policy with ExternalAuthorization = true (service callout validating the auth-code).

I don't wish to store a client secret in the mobile app, hence the above question.

Solved Solved
0 3 651
Topic Labels
Jump to Solution
0 Likes
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Does the current system rely on a client_id to be embedded in the mobile app?

Once Authenticated, it issues a Auth-code and redirects to an app registered URL scheme with the same

I guess in the phrase "it issues an auth-code" , you are referring not to the App but a SAML IDP?. And then the mobile app gets redirected. Which system delivers that redirection? and to what system is the user agent being redirected? If you have a sequence diagram, that might clarify.

Even without knowing more... if the user agent is being redirected to a URL hosted at Apigee Edge, which then exchanges the code for a token, then Apigee Edge is the token issuer. In that case, you can finesse your way to do a refresh, later, without requiring the mobile app to send the client secret.

If the client sends in the client_id and the refresh_token, and both are stored by Apigee Edge, you can use an AccessEntity policy to retrieve the client secret, then contrive an Authorization header with the appropriate base64 blob, before invoking the OAuthV2/RefreshAccessToken policy.

View solution in original post

Jump to Solution
0 Likes
Reply
3 REPLIES 3
Top Solution Authors
View all