oauthV2.failed is true but not raising a fault - V... - Page 2

lisabradshaw · 12-30-2019 09:07 AM

We have a proxy that verifies API Key and Secret before passing to an external IDP for an access token. The first OAUTH policy works fine to validate the client if the call is specific to just getting an access token. However, the first OAUTH policy fails (oauthV2.failed is true) and does not raise a fault when seeking a refresh token. It appears to act like a pass through and sends to the external IDP.

Our configuration is based on this use case: https://github.com/apigee/api-platform-samples/tree/master/sample-proxies/oauth-validate-key-secret

When the refresh_token request is sent, it is sent with a form parameter grant_type of refresh_token along with the appropriate Basic Authorization header.

Is this the expected OAUTHV2 behavior for refresh token? It should act like a pass through?

Here's my policy specific to refresh:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OA-verifyAPIKey-and-Secret-Refresh">
    <DisplayName>OA-verifyAPIKey-and-Secret-Refresh</DisplayName>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>false</ExternalAuthorization>
    <StoreToken>false</StoreToken>
    <Operation>GenerateAccessToken</Operation>
    <SupportedGrantTypes>
        <GrantType>password</GrantType>
    </SupportedGrantTypes>
    <GenerateResponse enabled="false"/>
    <GenerateErrorResponse enabled="true"/>
    <Tokens/>
</OAuthV2>

oauthV2.failed is true but not raising a fault - Verify API Key and Secret with Refresh Token Request