Re: Setting Dynamic Token Expiration Time

olgunkaya · 01-25-2023 08:20 AM

Hi there,

I am looking forward to setting the token expiration time dynamically. I tried some of the solutions mentioned here and around related to App/Product custom attributes but could not find a proper way to access them during the GenerateAccessToken policy execution.

it's worth to mention that, I am using client_credentials grant type.

gonzalezruben

Hi!

You need to identify the client before being able to pull custom attributes from App / Developer / Product. You can achieve this by attaching a VerifyAPIKey policy before the OAuthPolicy that generates the token. The VK policy will populate flow variables including custom attributes. Then you'll be able to reference a custom attribute from the ExpiresIn element:

<ExpiresIn ref="verifyapikey.YOUR_VK_POLICY_NAME_HERE.apiproduct.CUSTOM_ATT_NAME_HERE">
    3600000 <!--default value in milliseconds-->
</ExpiresIn>

olgunkaya

I tried this using shared flows which includes a verify access token as hook. This did not generate such stuff. Will give it a try with proxy specific one too.

Edit : I tried the way you want me to do so (If I did not do anything mistakenly) and it did not work either.

so what I did,

1. added custom attribute on my product.

2. create a token generation proxy and assigned two policies. One is, GenerateAccessToken, the other one is VerifyAccessToken,

4. Policy order is; VerifyAccessToken with continueOnError set to true.

5. Tried to access to the attribute in GenerateAccessToken with your syntax and it did not work.

Hence, this seems to be a missing feature that one should be able to simply set this. Thinking about the token generation flow would be something like this.

1. validate client and creds.

2. create a secure token.

3. create relations between token and app, product etc..

4. set extra metadata like expiry etc.. (since apigee already fetched the info for product and application itself already, I should be able to reference such values already.)

gonzalezruben

No. My suggestion didn't mention anything w.r.t. VerifyAccessToken policy. You need to use a VerifyAPIKey policy to be able to identify the client before authorizing access with OAuth policy (configured with metadata from app / product / dev). For example, if you're configuring the client credentials grant type, then the API Key will be encoded in a Basic Authorization header (you can decode it and place it in a variable using BasicAuth policy).

You don't have to retrieve the expiry settings from the App / dev / Product. You can configure a KVM and use the `apiproxy.name` flow variable as a key to retrieve security settings that applicable to a given proxy.

olgunkaya

Thanks for the clarification, I am so stucked with token verification policy, whole mis understanding your statement. thanks ! Will try this and update here with the result asap.

@gonzalezruben wrote:
You don't have to retrieve the expiry settings from the App / dev / Product. You can configure a KVM and use the `apiproxy.name` flow variable as a key to retrieve security settings that applicable to a given proxy.

I am trying to give different expiry times per application (for the same product eg..), again if I understand your phrase correctly, your suggestion provides proxy level expiry while I am trying to have it app level or product level.