Gen CC token fails after ValidateKey succeeds

Google Cloud Apigee
1

I have the following GenToken policy that fails just after the client_id being validated successfully by a ValidateKey step


<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-genClientToken"> 
	<DisplayName>OAuth v2.0-genClientToken</DisplayName> 
	<Operation>GenerateAccessToken</Operation>
	<ClientId>request.queryparam.client_id</ClientId
	<GrantType>request.queryparam.grant_type</GrantType>
	<SupportedGrantTypes> 
		<GrantType>client_credentials</GrantType> 
	</SupportedGrantTypes> 
	<GenerateResponse enabled="false"/> 
</OAuthV2>

I am not clear what could even cause this to happen.

Any help/pointers would be greatly appreciated.

2

Hey @terrancedavid

If you could expand on what the error message is, it will be easier to trace the issue.

I would examine whether grant type is indeed being passed correctly.
GenerateAccessToken is fussy in this regard, insisting on obtaining the grant_type from a variable. You could insist the users pass this or use an AssignMessage policy to hardcode the parameter value.

request.queryparam.grant_type

However …

Assuming the error you are getting is :

{"ErrorCode" : "invalid_client", "Error" :"Client identifier is required"}

then the reason is likely to be that you have not provided the Authorization header.

The policy does not reference the client ID from the tag.

It expects an Authorization header of ‘Basic {base64Encoded clientID **:**clientSecret}’

Update: You can also POST client_id and client_secret as form parameters in the body, e.g.
client_id=QrS96hvxnRY64kvt2Mt4jTMQiaYUnkaZ&client_secret=UmFCc1GmijjO2h3T

I am including two polices that would allow you to generate this on behalf of the caller, but I must point out that in doing this you are bypassing the security provided when you require the user to pass both clientID and clientSecret.

1. verifyKey

<VerifyAPIKey async="false" continueOnError="false" enabled="true" name="tryVerifyAPIkey">
    <DisplayName>tryVerifyAPIkey</DisplayName>
    <Properties/>
    <APIKey ref="request.queryparam.client_id"/>
</VerifyAPIKey>

2. Build a header using verifyKey details

<BasicAuthentication async="false" continueOnError="false" enabled="true" name="BABuildAuthHeader">
    <DisplayName>BA.BuildAuthHeader</DisplayName>
    <Operation>Encode</Operation>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <User ref="request.queryparam.client_id"/>
    <Password ref="verifyapikey.tryVerifyAPIkey.client_secret"/>
    <AssignTo createNew="false">request.header.Authorization</AssignTo>
</BasicAuthentication>

3. Generate the token.

<OAuthV2async="false"continueOnError="false"enabled="true"name="OAuth-v20-genClientToken">
    <DisplayName>OAuth v2.0-genClientToken</DisplayName>
    <Operation>GenerateAccessToken</Operation>
    <GrantType>request.queryparam.grant_type</GrantType>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GenerateResponseenabled="false"/>
</OAuthV2>

Hope this helps.

1 Like