Hi guys, I'm new to apigee and trying to add an OAuth v2.0 to one of my proxy. I saw the foundation videos chapter 6 and followed all the steps.
I've been trying for client_credentials grant type. I got the "access_token" and now I added Oauth v2.0 to my proxy with <Operation>VerifyAccessToken</Operation>.
In API Console I gave header parameter as Authorization and value as Bearer <access_token> and with Get Resource when I click Send....I'm getting error as...
HTTP/1.1 401 Unauthorized Date:Tue, 31 Mar 2015 15:28:50 GMT Access-Control-Allow-Origin:* Content-Length:202 Connection:keep-alive Content-Type:application/json Server:Apache-Coyote/1.1 { "error": "auth_unverified_oath", "timestamp": 1427815730356, "duration": 0, "exception": "org.apache.usergrid.rest.exceptions.SecurityException", "error_description": "Unable to authenticate OAuth credentials" }
Where did I go wrongs???
Solved! Go to Solution.
Thanks! These proxies helped me solve the problem.
All you need to do is to remove the "Authorization" header in your "323-cats-oauth-rev1-2015-04-15" proxy before calling BaaS (i.e. after Verify Token policy). Otherwise BaaS tries to validate the token and eventually fails as it was generated by Edge. Remember BaaS also provides OAuth way of generating/verifying tokens.
You can remove the "Authorization" header using "AssignMessage" policy as below -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1"> <DisplayName>Assign Message 1</DisplayName> <FaultRules/> <Properties/> <Remove> <Headers> <Header name="Authorization"></Header> </Headers> </Remove> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> <AssignTo createNew="false" transport="http" type="request"/> </AssignMessage>
I have also attached the updated proxy here.. 323-cats-oauth-rev1-2015-04-15-rev2-2015-04-15.zip
After you generate the Access Token, call this API proxy with "Authorization Bearer <ACCESS_TOKEN>" header.
I would check to make sure the product that you created has the API resource for the resource you were trying to access included. I would also make sure that you removed any extra tags from the oauth2 policy that are un-needed for verification of an access-token.
Yeah I went through my proxy,resources and oauth2 policy everything is in the right place. What else can cause this error??
At this point i feel like it has something todo with your product or a missing character when you pasted your access_token into your header. To rule out an issue with the product you can add a /** to the resources section. I would then double check that your access token matches exactly what was returned for the generate access token call, it is case-sensitive. These are the most common issues you may run across setting this up.
Well in api console in Header's Value box I entered "BearerToken <access_token>" . Then when I send it, I get the desired response. So instead of "Bearer", "BearerToken" is working for me.
Anyway thank you for making me go through the things twice 🙂
BTW do you have any idea why BearerToken is working instead of Bearer?
Can you show, in full, your OAuthV2 policy that has the VerifyAccessToken operation?
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-1"> <DisplayName>OAuth v2.0 1</DisplayName> <FaultRules/> <Properties/> <Attributes/> <ExternalAuthorization>false</ExternalAuthorization> <Operation>VerifyAccessToken</Operation> <SupportedGrantTypes/> <GenerateResponse enabled="true"/> <Tokens/> </OAuthV2>
Do you need anything else?
Hi @Dino as I said BearerToken was working for me 7days ago. Now neither of them work. I tried multiple times with newly generated accesstoken, still I get the same error which I mentioned in the first post.
Any suggestions about this?
Hi,
Looks like the error ['org.apache.usergrid.rest.exceptions.SecurityException'] indicates its coming form Baas, are you proxying your API Baas? Probably your backend is returning error, and probably because your token to backend is not correct?
Thanks,
Yeah I'm using a proxy to Get data from BaaS. But what is a token to backend? Can you guide me about that, I have no idea about a token to backend.
Thanks
Thats a good catch @mukundha@apigee.com . @Barahalikar Siddharth, You need to either pass token or client_id,secret while calling Baas if your app is not a sandbox app .
Check this link for more info http://apigee.com/docs/app-services/content/authenticating-users-and-application-clients.
As a best practice always do a curl directly to your Baas resource and see if you can access it before calling from the apiproxy .
@Maruti Chand, This is what I'm trying to Get through proxy..
https://api.usergrid.com/siddharth1/sandbox/restaurants
This is a sandbox app right?
One more things is this whole OAuth thing worked fine two days ago and since yesterday this is giving me a problem.
My question is why is OAuth not working now which used to work before with the same steps applied?
@mukundha@apigee.com and @Maruti Chand
guys I need one more clarification....8days ago when I got this error ['org.apache.usergrid.rest.exceptions.SecurityException']
I used BearerToken <accesstoken> instead of Bearer <accesstoken> and the error disappeared and I got the requested response.
Why did BearerToken <accesstoken> worked?
adding to @Maruti Chand's comment, There is no auth scheme as 'BearerToken', so the service will ignore whatever you send there,
But 'Bearer' is a valid Oauth auth scheme, so when this header is present, the service tries to validate the request and it fails.
In your case its easier, since you are using sandbox and you don need any credential to API Baas. So in your proxy after the access token is validated, remove the Authorization header before sending to the Baas
Thanks
How can I do this?
////So in your proxy after the access token is validated, remove the Authorization header before sending to the Baas////
you can do this using AssignMessage policy - In Remove section you could remove the headers. Attach this policy in the request flow
<Remove> <Headers> <Header name="Authorization"/> </Headers> </Remove>
Thanks,
@Barahalikar Siddharth, few things
For sandbox , if you try the API with any Authorization header without bearer keyword it will work but if you pass Bearer ,BAAS tries to validate and fails .
BearerToken should work even now though it is not required . Can you do a direct curl from your command line and check .
curl -v https://api.usergrid.com/siddharth1/sandbox/restaurants -H "Authorization: Bearer AVDS" // will give you 401
curl -v https://api.usergrid.com/siddharth1/sandbox/restaurants -H "Authorization: BearerToken AVDS" //will work
Hi @Maruti Chand,
I've few questions...
curl -v https://api.usergrid.com/siddharth1/sandbox/restaurants -H "Authorization: BearerToken AVDS"
The above code works with/without BearerToken,
Actually my requirement is that my proxy url should be able to hit the BaaS backend and GET the data such as,
curl -v http://siddharth1-test.apigee.net/restaurants -H "Authorization: BearerToken AVDS"
where
Default Proxy Endpoint Base Path - /restaurants
Default Target Endpoint URL - http://api.usergrid.com/siddharth1/sandbox/restaurants
So when I use this cmd...I get the following error.
HTTP/1.1 401 Unauthorized Content-Type: application/json WWW-Authenticate: Bearer realm="null",error='invalid_token",error_description=auth.v2.InvalidAccessToken: Invalid access token" Content-Length: 101 Connection: keep-alive fault":{"faultstring":"Invalid access token","detail":{"errorcode":"oauth.v2.IalidAccessToken"}}}* Connection #0 to host siddharth1-test.apigee.net left intact
So my question is, how can I use OAuth with my Proxy URL having BaaS as my backend.
To keep things simple and make it easier for you to try things out, the "sandbox" application in BaaS has all authentication disabled. That way, it doesn’t require an access token for application-level calls to the API.
Create an API proxy in Edge with "Backend Service URL" as - http://api.usergrid.com/siddharth1/sandbox/restaurants. To protect this new API proxy, you could use the out of the box OAuthV2 policy with Operation as "VerifyAccessToken". Now generate an Access token using any of the OAuth grant types (Ex. a simple Client credentials flow is described here). Once you have the access token, call the protected API proxy by passing the Access Token as part of the Auth header. Ex - "Authorization Bearer <ACCESS_TOKEN>". Please check out our documentation site with detailed steps here.
curl: (6) Could not resolve host: \ {"fault":{"faultstring":"Invalid access token","detail":{"errorcode":"oauth.v2.I nvalidAccessToken"}}}
Hi @sudheendra1, I followed all the steps, but I'm stilling getting this error.
I've even created a new account and tried it. Still same error.
This OAuth used to work for me few weeks back,now it is not working even after applying the same steps.
Can you please share your proxies?
I have attached GenerateToken and VerifyAccessToken proxies have a look..
Thanks! These proxies helped me solve the problem.
All you need to do is to remove the "Authorization" header in your "323-cats-oauth-rev1-2015-04-15" proxy before calling BaaS (i.e. after Verify Token policy). Otherwise BaaS tries to validate the token and eventually fails as it was generated by Edge. Remember BaaS also provides OAuth way of generating/verifying tokens.
You can remove the "Authorization" header using "AssignMessage" policy as below -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1"> <DisplayName>Assign Message 1</DisplayName> <FaultRules/> <Properties/> <Remove> <Headers> <Header name="Authorization"></Header> </Headers> </Remove> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> <AssignTo createNew="false" transport="http" type="request"/> </AssignMessage>
I have also attached the updated proxy here.. 323-cats-oauth-rev1-2015-04-15-rev2-2015-04-15.zip
After you generate the Access Token, call this API proxy with "Authorization Bearer <ACCESS_TOKEN>" header.
Would it be possible to update the Foundation Training module Connecting Edge to BaaS with this information as the example won't work without this policy applied to the BaaS collection target's PreFlow.
Whoa!!...finally it is working.
The same solution was given by @mukundha@apigee.com but I somehow couldn't do it.
@sudheendra1 Thank you for providing the updated proxy.
Hi @sudheendra1, a simple question....now that OAuth is working for me how can I make it work for a webpage?
I have a webpage where I GET and display the data from sandbox(BaaS). So when I added a OAuth in my proxy, my webpage doesn't get data because of OAuth conflict.
So what I have to do? Every time should I go to APIGEE console and enter access token and only then does the webpage get the data?
What do you want to accomplish?
Ideally you do everything programmatically i.e obtaining access token, calling subsequent APIs with access token etc. You could use your preferred programming language to implement this.