Apigee doesn't seem to support the OAuth 2 spec, is there a reason?
We are making client_credentials
bearer requests using OAuth 2 flow with Apigee. According to the spec :
4.4.2. Access Token Request
The client makes a request to the token endpoint by adding the
following parameters using the "application/x-www-form-urlencoded"
format per Appendix B with a character encoding of UTF-8 in the HTTP
request entity-body:
grant_type
REQUIRED. Value MUST be set to "client_credentials".
If we make a call, we get an error like this:
{"ErrorCode" : "invalid_request", "Error" :"Required param : grant_type"}
It seems that with Apigee we have to send grant_type
as a request parameter.
Why is this? We have Apigee clients who cannot use OAuth libraries in their language of choice due to the way Apigee deals with OAuth 2, and it would be good to know if there is by design or not.
Also, it looks like it maintains grant_type
in the body of the message and sends the id and key using basic auth.
source to share
It turns out you don't need to send grant_type
as a request parameter. There is an element in your GenerateAccessToken policy <GrantType>
that takes a variable. For example, I can use the following:
<OAuthV2 name="GenerateAccessToken">
<DisplayName>GenerateAccessToken</DisplayName>
<FaultRules/>
<Properties/>
<!-- This policy generates an OAuth 2.0 access token using the password grant type -->
<Operation>GenerateAccessToken</Operation>
<!-- This is in millseconds -->
<ExpiresIn>1800000</ExpiresIn>
<Attributes/>
<SupportedGrantTypes>
<GrantType>password</GrantType>
</SupportedGrantTypes>
<GenerateResponse enabled="false">
<Format>FORM_PARAM</Format>
</GenerateResponse>
<GrantType>user.grant_type</GrantType>
<UserName>request.header.username</UserName>
<PassWord>request.header.password</PassWord>
</OAuthV2>
This example grant_type
is passed as user.grant_type
. But it user.grant_type
can be anything: a title, a request parameter, a form parameter, or even a hard-coded value. This way, you (the developer) have the most flexibility as to how you want to send to grant_type
.
source to share
Can you insert the exact API call you are making (obviously you have to obfuscate the key and secret)?
I would like to understand what you are saying when you say "Apigee" - it could mean the BAAS API ( https://api.usergrid.com ) or the proxy that you defined with API services and linked the OAuth 2 policy or what what else?
source to share