This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Verifying Access Token

Posted on 12-30-2022 06:57 AM
olgunkaya
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

I have proxy with path /oauth/token to generate token. It is bind to GenerateAccessToken operation and no "product, developer or app" configured related to this proxy. When I hit the path with required parameters, I can see the token response properly. 

I tried to create another proxy with path /oauth/verify to verify the token (generic path) with VerifyAccessToken operation. When I hit the path for this proxy, I am having the error of  no product found kinda error. Is this a valid behavior ?

Is there a way of defining a proxy in order to have a generic token validation endpoint that does not require to have product, developer or app definition ? 

Solved Solved
0 3 1,555
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM
@olgunkaya wrote:

I have proxy with path /oauth/token to generate token. It is bind to GenerateAccessToken operation and no "product, developer or app" configured related to this proxy. When I hit the path with required parameters, I can see the token response properly. 

I think you're saying that the token-dispensing proxy can work properly, even though is not included in any API Product.  Is that right? 

If so, that is the expected behavior.  Generating a token is not an operation that is protected or exposed via an API Product. The token dispensing proxy is special in Apigee - it is the gatekeeper proxy. First an app must connect to the token dispensing proxy, to get a token. Then, the app can present that token to other APIs, which can Verify the token. The verification process: check to see that the token is known and valid and not expired; get the list of API Products for that token; check to see which API Product the current call is included in. That is why the proxy that calls VerifyAccessToken must be included in an API Product. 

The GenerateAccessToken does not need to be included in an API Product. It is general-purpose. It can generate a token for any app, for any set of valid credentials.

Does this help?

View solution in original post

Jump to Solution
3 REPLIES 3
Top Solution Authors
View all