External Authorization OAuth Client_id error with grant_type as authorization_code

Google Cloud Apigee
1

Hi,

I am trying to implement Oauth Policy with External Authorization ( Google ). I’m able to generate authorization code with google from call out policy. After that i used extract policy to fetch access_token from JSON response and set it in variable. After that i used assign message policy to set

oauth_external_authorization_status variable to true. After that i have OAuthV2 policy to store the token. But i was getting error :

<code>{"ErrorCode" : "invalid_client", "Error" :"Client identifier is required"}<br><br>

Then i set client_id which i used to generate Google code in the same assign message policy where i set oauth_external_authorization_status in FormParams

Now i’m getting error :

{“ErrorCode” : “invalid_client”, “Error” :“ClientId is Invalid”}

It means, it is picking this client_id but its not liking the way its set. I’m giving the hard coded value of client_id ( Base 64 encoding ) in the policy but getting same error.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <ExtractVariables name="ExtractAccessToken">  
 <Source>GoogleOAuthTokenResponse</Source>  
 <JSONPayload>  
  <Variable name="accessToken">  
  <JSONPath>$.access_token</JSONPath>  
  </Variable>  
 </JSONPayload>  
 <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</ExtractVariables>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage name="AssignMessage-TokenSetVariable">  
 <DisplayName>Assign Message - Set Variable</DisplayName>  
 <Set>  
  <FormParams>  
   <FormParam name="client_id">xxxxxxxxxxxxx</FormParam>  
  </FormParams>  
 </Set>  
 <AssignVariable>  
  <Name>oauth_external_authorization_status</Name>  
  <Value>true</Value>  
 </AssignVariable>  
 <AssignTo createNew="false" transport="http" type="request"/>  
 <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</AssignMessage>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <OAuthV2 name="OAuth-v20-Store-External-Token">
 <DisplayName>OAuth v2.0 1</DisplayName>  
 <Attributes/>  
 <ExternalAccessToken>request.queryparam.accessToken</ExternalAccessToken>
 <ExternalAuthorization>true</ExternalAuthorization>  
 <Operation>GenerateAccessToken</Operation>
 <GenerateResponse enabled="true">
 <Format>FORM_PARAM</Format>  
 </GenerateResponse>  
 <ReuseRefreshToken>false</ReuseRefreshToken>  
 <StoreToken>true</StoreToken>  
 <Tokens/>
</OAuthV2>

Any advice would be really helpful.

Thanks

2

Hello @hughespoc

I’m assuming that you created an Apigee product and app, so that you have a client ID and secret stored in Apigee Edge. That is the client ID that needs to be included in your request to Apigee.

Alternatively, you could create an Apigee product and app and then add your Google client ID and secret to that app (see the management API docs to create developer key and associate product to key).

Please try the following:

  1. In your OAuthV2 policy, you should include the supported grant types. When you don’t include that element then this policy will support authorization_code and implicit only.
<?xml version="1.0" encoding="UTF-8"?>
<OAuthV2name="OAuth-v20-Store-External-Token">
  <DisplayName>OAuth v2.0 1</DisplayName>
  <Attributes/>
  <ExternalAccessToken>request.queryparam.accessToken</ExternalAccessToken>
  <ExternalAuthorization>true</ExternalAuthorization>
  <Operation>GenerateAccessToken</Operation>
  <GenerateResponseenabled="true">
    <Format>FORM_PARAM</Format>
  </GenerateResponse>
  <ReuseRefreshToken>false</ReuseRefreshToken>
  <StoreToken>true</StoreToken>
  <SupportedGrantTypes>
      <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>
  <Tokens/>
</OAuthV2>
  1. Include the client_credentials grant_type in your assign message policy. You mentioned that you provided the client ID base64 encoded originally (your original statement below).
I'm giving the hard coded value of client_id ( Base 64 encoding ) in the policy but getting same error.

You have to decode the client ID first before you reference it in this policy; you can use the Basic Authentication policy for that.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage name="AssignMessage-TokenSetVariable">  
 <DisplayName>Assign Message - Set Variable</DisplayName>  
 <Set>  
  <FormParams>  
   <FormParam name="client_id">xxxxxxxxxxxxx</FormParam>  
   <FormParam name="grant_type">client_credentials</FormParam>
  </FormParams>  
 </Set>  
 <AssignVariable>  
  <Name>oauth_external_authorization_status</Name>  
  <Value>true</Value>  
 </AssignVariable>  
 <AssignTo createNew="false" transport="http" type="request"/>  
 <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</AssignMessage>

I would also recommend reviewing our third-party oauth docs (if you haven’t seen this already).

1 Like
3

@swilliams That worked. Thanks