How do I use an external access token in Apigee?

Google Cloud Apigee
1

I’m trying to use an external access token in Apigee, but I get the following error code:

{"ErrorCode" : "invalid_client", "Error" :"Client identifier is required"}

I already have an APIkey verification policy in the flow. Should I do anything more to let the oauth policy know the client identifier?

This is my OAuth2 generate token xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="generate-access-token">
    <DisplayName>OAuth v2.0: Generate Token</DisplayName>
    <Properties/>
    <Attributes>
        <Attribute name="scope" ref="scope"/>
        <Attribute name="id_token" ref="id_token"/>
    </Attributes>
    <ExternalAuthorization>true</ExternalAuthorization>
    <ExternalAccessToken>access_token</ExternalAccessToken>
    <Operation>GenerateAccessToken</Operation>
    <SupportedGrantTypes>
        <GrantType>password</GrantType>
        <GrantType>authorization_code</GrantType>
        <!--<GrantType>refresh_token</GrantType>-->
    </SupportedGrantTypes>
    <GenerateResponse enabled="true"/>
    <Tokens/>
    <Tokens/>
</OAuthV2>

APIkey verification:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyAPIKey async="false" continueOnError="false" enabled="true" name="verify-api-key">
    <DisplayName>verify api key</DisplayName>
    <Properties/>
    <APIKey ref="request.header.apikey"/>
</VerifyAPIKey>
2

Hi @Friso Denijs

Please follow the steps provided here. You need to provide the client info and the grant_type in the request (qp or form param).

You can provide the info using AssignMessage policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage name="set-external-auth-status">
    <DisplayName>set-external-auth-status</DisplayName>
    <AssignTo createNew="true" type="request">request</AssignTo>
    <Set>
        <FormParams>
            <FormParam name="client_id">{request.header.apikey}</FormParam>
            <FormParam name="grant_type">{request.queryparam.grant_type}</FormParam>
        </FormParams>
    </Set>
    <AssignVariable>
        <Name>oauth_external_authorization_status</Name>
        <Value>true</Value>
    </AssignVariable>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</AssignMessage>
3

Hi @Friso Denijs - Were you able to get the external token to work by following the doc Sai recommended?