This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Resource owner password credentials flow documentation gaps...

Posted on 03-23-2016 08:21 AM
Anthony_Coelho
New Member
Reply posted on --/--/---- --:-- AM

We started working on implementing the Resource owner password credentials flow within our API and created an endpoint that can receive a emailId and password to authenticate, but are having a hard time finding more details on implementing this flow in Apigee. The documentation located at http://docs.apigee.com/api-services/content/oauth-20-client-credentials-grant-type states that the grant type is covered in Part 6, Lessons 6 and 7 of Foundation training.

However, there doesn’t appear to be a reference to Part 6, Lessons 6 and 7 in the course located at the Foundation Training link, which is http://academy.apigee.com/courses/elearning/foundation_training/Foundation_training

Can someone point us in the right direction? We are looking for the following information:

  • Is there a specific policy template that should be used for this flow?
    • The article covers the Basic Authentication policy, and mentioned OAuth with respect to overriding the OAuth handler, but it doesn’t go into details.
    • I looked at the list of policy templates, and there isn’t one specific to this flow.
  • We would like to return information, specifically the user identifier, so we can store it in the data store. Is there a specific schema Apigee expects?
    • If the authentication fails, we will return a 401 with a body containing details about the failed authentication. Will the response just be passed back to the client application?
    • If this is not the default behavior, can it be configured to pass this response back to the client application?
  • With respect to sending the request to the user service to authenticate, is the path and variables configurable?
    • The documentation states the path is /services/user/authenticateUser(emailId, password). Could this path be modified to something like User/Authenticate?
    • With respect to the parameters, how are they sent:
      • Are they sent in a header?
      • Are they sent in the body?
      • Are they sent as URL parameters?
Solved Solved
0 8 447
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
willwitman
Staff
Reply posted on --/--/---- --:-- AM

Hi @Anthony Coelho,

I think I can help point you in the right direction on some of your questions -- hopefully enough to make progress. I'll have to look into the training video link and fix it up - it may be out of date.

I'd start with this topic talks about password grant type.

Also check out this topic. It tells you exactly how to request an access token using the password grant type. It includes: the API call, the Policy xml, and an example response.

You can catch errors and return custom responses using the Raise Fault policy. The general topic on Fault Handling provides some more info and context.

When you are verifying a token, using the OAuthV2 policy with the VerifyAccessToken operation, you tell the policy to look for credentials in the header, query param, or form params. See this topic.

It's also possible to store attributes like a user UUID in the access token itself, as a custom attribute. Not sure if this helps you, but it's a common practice that lets you associate the oauth token with a specific user. I have an example I could share if you need it.

I'm not sure which doc has this path /services/user/authenticateUser(emailId, password). Can you point me to it?

Will

View solution in original post

Jump to Solution
8 REPLIES 8
Top Solution Authors
View all