Clever Geek Handbook

Apigee doesn't seem to support the OAuth 2 spec, is there a reason?

We are making client_credentials

bearer requests using OAuth 2 flow with Apigee. According to the spec :

4.4.2.  Access Token Request

   The client makes a request to the token endpoint by adding the
   following parameters using the "application/x-www-form-urlencoded"
   format per Appendix B with a character encoding of UTF-8 in the HTTP
   request entity-body:

   grant_type
         REQUIRED.  Value MUST be set to "client_credentials".

If we make a call, we get an error like this:

{"ErrorCode" : "invalid_request", "Error" :"Required param : grant_type"}

It seems that with Apigee we have to send grant_type

as a request parameter.

Why is this? We have Apigee clients who cannot use OAuth libraries in their language of choice due to the way Apigee deals with OAuth 2, and it would be good to know if there is by design or not.

Also, it looks like it maintains grant_type

in the body of the message and sends the id and key using basic auth.

+3


source to share


2 answers


It turns out you don't need to send grant_type

as a request parameter. There is an element in your GenerateAccessToken policy <GrantType>

that takes a variable. For example, I can use the following:

<OAuthV2 name="GenerateAccessToken">
  <DisplayName>GenerateAccessToken</DisplayName>
  <FaultRules/>
  <Properties/>
  <!-- This policy generates an OAuth 2.0 access token using the password grant type -->
  <Operation>GenerateAccessToken</Operation>
  <!-- This is in millseconds -->
  <ExpiresIn>1800000</ExpiresIn>
  <Attributes/>
  <SupportedGrantTypes>
    <GrantType>password</GrantType>
  </SupportedGrantTypes>
  <GenerateResponse enabled="false">
   <Format>FORM_PARAM</Format>
  </GenerateResponse>
  <GrantType>user.grant_type</GrantType>
  <UserName>request.header.username</UserName>
  <PassWord>request.header.password</PassWord>
</OAuthV2>


This example grant_type

is passed as user.grant_type

. But it user.grant_type

can be anything: a title, a request parameter, a form parameter, or even a hard-coded value. This way, you (the developer) have the most flexibility as to how you want to send to grant_type

.

0


source


Can you insert the exact API call you are making (obviously you have to obfuscate the key and secret)?



I would like to understand what you are saying when you say "Apigee" - it could mean the BAAS API ( https://api.usergrid.com ) or the proxy that you defined with API services and linked the OAuth 2 policy or what what else?

0


source






More articles:


All Articles