Hi there,
I am looking forward to setting the token expiration time dynamically. I tried some of the solutions mentioned here and around related to App/Product custom attributes but could not find a proper way to access them during the GenerateAccessToken policy execution.
it's worth to mention that, I am using client_credentials grant type.
Hi!
You need to identify the client before being able to pull custom attributes from App / Developer / Product. You can achieve this by attaching a VerifyAPIKey policy before the OAuthPolicy that generates the token. The VK policy will populate flow variables including custom attributes. Then you'll be able to reference a custom attribute from the ExpiresIn element:
<ExpiresIn ref="verifyapikey.YOUR_VK_POLICY_NAME_HERE.apiproduct.CUSTOM_ATT_NAME_HERE">
3600000 <!--default value in milliseconds-->
</ExpiresIn>
I tried this using shared flows which includes a verify access token as hook. This did not generate such stuff. Will give it a try with proxy specific one too.
Edit : I tried the way you want me to do so (If I did not do anything mistakenly) and it did not work either.
so what I did,
1. added custom attribute on my product.
2. create a token generation proxy and assigned two policies. One is, GenerateAccessToken, the other one is VerifyAccessToken,
4. Policy order is; VerifyAccessToken with continueOnError set to true.
5. Tried to access to the attribute in GenerateAccessToken with your syntax and it did not work.
Hence, this seems to be a missing feature that one should be able to simply set this. Thinking about the token generation flow would be something like this.
1. validate client and creds.
2. create a secure token.
3. create relations between token and app, product etc..
4. set extra metadata like expiry etc.. (since apigee already fetched the info for product and application itself already, I should be able to reference such values already.)
No. My suggestion didn't mention anything w.r.t. VerifyAccessToken policy. You need to use a VerifyAPIKey policy to be able to identify the client before authorizing access with OAuth policy (configured with metadata from app / product / dev). For example, if you're configuring the client credentials grant type, then the API Key will be encoded in a Basic Authorization header (you can decode it and place it in a variable using BasicAuth policy).
You don't have to retrieve the expiry settings from the App / dev / Product. You can configure a KVM and use the `apiproxy.name` flow variable as a key to retrieve security settings that applicable to a given proxy.
Thanks for the clarification, I am so stucked with token verification policy, whole mis understanding your statement. thanks ! Will try this and update here with the result asap.
@gonzalezruben wrote:You don't have to retrieve the expiry settings from the App / dev / Product. You can configure a KVM and use the `apiproxy.name` flow variable as a key to retrieve security settings that applicable to a given proxy.
I am trying to give different expiry times per application (for the same product eg..), again if I understand your phrase correctly, your suggestion provides proxy level expiry while I am trying to have it app level or product level.