Hi
We are using client_credentials flow of Oauth 2.0.
We pass the following in token request:
-
client_id and client-secret as form parameters. Apigee should use these for validation when creating access_token.
-
Second set of credentials in Authorization header. Apigee should ignore Authorization header.
Those are used by our custom code during token creation.
Problem: Apigee reads Authorization header and ignores form parameters (client_id/client_secret). (Though Apigee correctly uses client_id/secret if Authorization header is not passed.)
Question:
How to configure Apigee so it ignores Authorization header and uses client_id and client_secret which are passed as form parameters?
I would appreciate any suggestions.
Regards
Can you add a Assign Message Policy with Remove Authrorization Heade policy before you use Generate Token policy.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1">
<DisplayName>Assign Message-1</DisplayName>
<Properties/>
<Remove>
<Headers>
<Header name="Authorization"/>
</Headers>
</Remove>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>
Also if you want to preserve the value of the Authorization header to use later, you can set a variable. Something like:
<AssignMessage name="Assign-Message-1">
<AssignVariable>
<Name>private.my_preserved_authz_header</Name>
<Ref>request.header.authorization</Ref>
<Value>BADDBEEF</Value>
</AssignVariable>
<Remove>
<Headers>
<Header name="Authorization"/>
</Headers>
</Remove>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>
<br>
Then, later, if you want, you can restore the Authorization Header with a similar Assignmessage. And that latter AssignMessage might also wipe out the payload, if that’s appropriate.