Getting {"Error":"ClientId is Invalid","ErrorCode":"invalid_client"} when using external access token

Google Cloud Apigee
1 
Following below sequence:

----------------------
1 - Service call out to get token
2 - Extract Variable to extract token
3 - Assign Message
4 - OAUTH2.0 policy

---------------------

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout name="Service-Callout-1" enabled="true" continueOnError="false" async="false">
    <DisplayName>Service Callout-1</DisplayName>
    <Properties/>
    <Request>
        <Set>
            <Headers>
                <Header name="Content-Type">application/json</Header>
                <Header name="Authorization">Basic TTJKbU5qVmpZEzZ3R6N2l5ZXM4aGcwYW1wZHpwOWZkdXB6eDFjM2gxN3JiZ2lmempwMHh3ejAyZw==</Header>
            </Headers>
            <FormParams>
                <FormParam name="grant_type">refresh_token</FormParam>
                <FormParam name="refresh_token">gez2h9ulacv6vyymqvrmf8p34kc3zgbtlzeta</FormParam>
            </FormParams>
        </Set>
    </Request>
    <Response>tokenresponse</Response>
    <HTTPTargetConnection>
        <Properties/>
        <URL>https://wd2-impl-services1.workday.com/ccx/oauth2/XXX/token</URL>
    </HTTPTargetConnection>
</ServiceCallout>

------------------------------------------

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables async="false" continueOnError="false" enabled="true" name="extract-refresh-callout-response">
    <DisplayName>extract refresh callout response</DisplayName>
    <Properties/>
    <JSONPayload>
        <Variable name="access_token">
            <JSONPath>$.access_token</JSONPath>
        </Variable>
    </JSONPayload>
    <Source clearPayload="false">tokenresponse</Source>
</ExtractVariables>

-------------------------------------

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage name="AssignMessage-SetVariable">
    <DisplayName>Assign Message - Set Variable</DisplayName>
    <AssignTo createNew="true" type="request">request</AssignTo>
    <Set>
        <FormParams>
            <FormParam name="client_id">M2JmhhMjItNzYwMTgyZjQ3ZTQw</FormParam>
        </FormParams>
    </Set>
    <AssignVariable>
        <Name>oauth_external_authorization_status</Name>
        <Value>true</Value>
    </AssignVariable>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</AssignMessage>

--------------------------------------

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="OAuth-v20-Store-External-Token">
    <DisplayName>OAuth v2.0 1</DisplayName>
    <Attributes/>
    <ExternalAccessToken>access_token</ExternalAccessToken>
    <ExternalAuthorization>true</ExternalAuthorization>
    <ClientId>M2JmhhMjItNzYwMTgyZjQ3ZTQw</ClientId>
    <Operation>GenerateAccessToken</Operation>
    <GenerateResponse enabled="true">
        <Format>FORM_PARAM</Format>
    </GenerateResponse>
    <ReuseRefreshToken>false</ReuseRefreshToken>
    <StoreToken>true</StoreToken>
    <SupportedGrantTypes>
        <GrantType>authorization_code</GrantType>
    </SupportedGrantTypes>
    <Tokens/>
</OAuthV2>
2

The client id used should be available in Apigee and registered with the app. The client id in oauth policy should be same as that in request formparam.

2 Likes