The access token is retrieved from 3rd party and then stored in Apigee using the OAuthV2 policy, similar with <OAuthV2 name="OAuth-v20-Store-External-Token"> described at http://docs.apigee.com/api-services/content/use-third-party-oauth-system. This works fine.

However, after sometime, this fails for some client ids (very few), while still works for others. Here is the trace that shows a difference between those that work and those that don't, when "OAuth-v20-Store-External-Token" is executed:

1. client id that works:

apigee.access_token 		<hidden>
apigee.client_id 		<hidden>
apigee.developer.app.name 		<hidden>
apigee.developer.email 		<hidden>
apigee.developer.id 		<hidden>
apigee.metrics.policy.Extract_Client_Id.timeTaken 	216187	
apigee.metrics.policy.Store-Access-Token.timeTaken 		3273060
auth_header_error 	false	
oauth_external_authorization_status 		true
oauthV2.failed 		false
oauthV2.Store-Access-Token 		
request.formparam.client_id 	<hidden>	
request.header.Authorization 	Basic <hidden>	
ext-userrefreshtoken 		
ext-usertoken 		<hidden>

2. client id that doesn't work:

apigee.metrics.policy.Extract_Client_Id.timeTaken 	231811	
apigee.metrics.policy.Store-Access-Token.timeTaken 		2851986
auth_header_error 	false	
oauth_external_authorization_status 		true
oauthV2.Store-Access-Token 		
request.formparam.client_id 	<hidden>	
request.header.Authorization 	Basic <hidden>	
ext-userrefreshtoken 		
ext-usertoken 		<hidden>

The trace shows that it is not able to get the client info for the failed client id. I removed and recreated the failed client id/ secret, for same dev and dev app. Still it fails. The Authorization header or request.formparam.client_id have correct value of the client id.

I can't explain why this fails. The apigee logs show following exception:

2017-02-09 11:22:22,878 org:hsdp env:h2h-qa api:OAuth rev:88 messageid:vhr-apigee-dev-03.dev.na1.phsdp.com_CWN34IFA4_RouterProxy-3-859369_1  Apigee-Main-1     5 ERROR MESSAGING.FLOW - AsyncExecutionStrategy$AsyncExecutionTask.logException() : Exception caught
4979 com.apigee.oauth.v2.TokenGenerationException: invalid_client
4980         at com.apigee.oauth.v2.OAuthServiceImpl.generateAccessToken(OAuthServiceImpl.java:280) ~[oauthV2-1.0.0.jar:na]
4981         at com.apigee.steps.oauth.v2.OAuthStepExecution.execute(OAuthStepExecution.java:255) ~[oauthV2-1.0.0.jar:na]
4982         at com.apigee.messaging.runtime.steps.StepExecution.execute(StepExecution.java:132) ~[message-processor-1.0.0.jar:na]
4983         at com.apigee.flow.execution.AsyncExecutionStrategy$AsyncExecutionTask.call(AsyncExecutionStrategy.java:87) [message-flow-1.0.0.jar:na]
4984         at com.apigee.flow.execution.AsyncExecutionStrategy$AsyncExecutionTask.call(AsyncExecutionStrategy.java:56) [message-flow-1.0.0.jar:na]
4985         at java.util.concurrent.FutureTask.run(FutureTask.java:262) [na:1.7.0_95]
4986         at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [na:1.7.0_95]
4987         at java.util.concurrent.FutureTask.run(FutureTask.java:262) [na:1.7.0_95]
4988         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_95]
4989         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_95]
4990         at java.lang.Thread.run(Thread.java:745) [na:1.7.0_95]
4991 Caused by: com.apigee.keymanagement.resource.KeyManagementApiException: ClientId is Invalid
4992         at com.apigee.keymanagement.util.OAuth20ValidationHandler.throwExceptionForEmptyOrNullConsumerKey(OAuth20ValidationHandler.java:19) ~[keymanagemen     t-1.0.0.jar:na]
4993         at com.apigee.keymanagement.util.ResourceUtil.validateConsumerKey(ResourceUtil.java:467) ~[keymanagement-1.0.0.jar:na]
4994         at com.apigee.keymanagement.util.ResourceUtil.validateConsumerKey(ResourceUtil.java:440) ~[keymanagement-1.0.0.jar:na]
4995         at com.apigee.keymanagement.util.ResourceUtil.validateConsumerKey(ResourceUtil.java:424) ~[keymanagement-1.0.0.jar:na]
4996         at com.apigee.keymanagement.util.ConsumerKeyUtil.getConsumerDetails(ConsumerKeyUtil.java:112) ~[keymanagement-1.0.0.jar:na]
4997         at com.apigee.keymanagement.util.ConsumerKeyUtil.getOauth20ConsumerDetails(ConsumerKeyUtil.java:103) ~[keymanagement-1.0.0.jar:na]
4998         at com.apigee.oauth.v2.persistence.OAuth2RuntimeServiceImpl.getConsumer(OAuth2RuntimeServiceImpl.java:602) ~[oauthV2-1.0.0.jar:na]
4999         at com.apigee.oauth.v2.connectors.LocalOAuthServiceConnector.getClientAttributes(LocalOAuthServiceConnector.java:172) ~[oauthV2-1.0.0.jar:na]
5000         at com.apigee.oauth.v2.OAuthServiceImpl.authenticateClient(OAuthServiceImpl.java:458) ~[oauthV2-1.0.0.jar:na]
5001         at com.apigee.oauth.v2.OAuthServiceImpl.generateAccessToken(OAuthServiceImpl.java:275) ~[oauthV2-1.0.0.jar:na]
5002         ... 10 common frames omitted

Thanks.

Crina