Solved: Verifying Access Token

olgunkaya · 12-30-2022 06:57 AM

Hi,

I have proxy with path /oauth/token to generate token. It is bind to GenerateAccessToken operation and no "product, developer or app" configured related to this proxy. When I hit the path with required parameters, I can see the token response properly.

I tried to create another proxy with path /oauth/verify to verify the token (generic path) with VerifyAccessToken operation. When I hit the path for this proxy, I am having the error of no product found kinda error. Is this a valid behavior ?

Is there a way of defining a proxy in order to have a generic token validation endpoint that does not require to have product, developer or app definition ?

dchiesa1

@olgunkaya wrote:

I have proxy with path /oauth/token to generate token. It is bind to GenerateAccessToken operation and no "product, developer or app" configured related to this proxy. When I hit the path with required parameters, I can see the token response properly.

I think you're saying that the token-dispensing proxy can work properly, even though is not included in any API Product. Is that right?

If so, that is the expected behavior. Generating a token is not an operation that is protected or exposed via an API Product. The token dispensing proxy is special in Apigee - it is the gatekeeper proxy. First an app must connect to the token dispensing proxy, to get a token. Then, the app can present that token to other APIs, which can Verify the token. The verification process: check to see that the token is known and valid and not expired; get the list of API Products for that token; check to see which API Product the current call is included in. That is why the proxy that calls VerifyAccessToken must be included in an API Product.

The GenerateAccessToken does not need to be included in an API Product. It is general-purpose. It can generate a token for any app, for any set of valid credentials.

Does this help?

View solution in original post

jhernandez-sps

Hi, you need to create a product with apis added in that, create an developer to create an app related with the product. To validate token correctly you need at least one api added in your product.

olgunkaya

Hi,

thanks for the answer, that's how it works and I already explained it. My question is more of about why ? GenerateAccessToken is able to work alone without a product while VerifyAccessToken is not.

dchiesa1

@olgunkaya wrote:

I have proxy with path /oauth/token to generate token. It is bind to GenerateAccessToken operation and no "product, developer or app" configured related to this proxy. When I hit the path with required parameters, I can see the token response properly.

I think you're saying that the token-dispensing proxy can work properly, even though is not included in any API Product. Is that right?

If so, that is the expected behavior. Generating a token is not an operation that is protected or exposed via an API Product. The token dispensing proxy is special in Apigee - it is the gatekeeper proxy. First an app must connect to the token dispensing proxy, to get a token. Then, the app can present that token to other APIs, which can Verify the token. The verification process: check to see that the token is known and valid and not expired; get the list of API Products for that token; check to see which API Product the current call is included in. That is why the proxy that calls VerifyAccessToken must be included in an API Product.

The GenerateAccessToken does not need to be included in an API Product. It is general-purpose. It can generate a token for any app, for any set of valid credentials.

Does this help?