How to code an automatic conversion of an authentication token to refresh token

Google Cloud Apigee
1

I had received an odd requirement.

Current Proxy returns:

{ “refresh_token_expires_in”: “7775999”, “refresh_token_status”: “approved”, “api_product_list”: “[nextGen-Oauth]”, “app_enduser”: “FF703B7C-004A-49A4-808E-C2698BF8C61C:62889a5a-8a41-4e47-815f-8c4cb56a166d”, “api_product_list_json”: [ “nextGen-Oauth” ], “organization_name”: “l;assesen-trial”, “developer.email”: “klassess@starbucks.com”, “token_type”: “BearerToken”, “issued_at”: “1525556675486”, “client_id”: “3r6bjRdkqnwG8v9Kb0KSOCjWS2ARnpnj”, “access_token”: “bAhzGSvXbXvV7CjVyJZtFtppMCWs”, “refresh_token”: “wGuAAhEjVHL3c17knLRsVOjSbGgplS2b”, “application_name”: “62889a5a-8a41-4e47-815f-8c4cb56a166d”, “grant_type”: “urn:ietf:params:oauth:grant-type:jwt-bearer”, “scope”: “”, “refresh_token_issued_at”: “1525556675486”, “expires_in”: “3599”, “refresh_count”: “0”, “status”: “approved” }

They want it to be reduced to a refresh token only, stripped of other information. I see two ways:

  • Set generate response=false and custom build a response that looks like a refresh token.
  • After getting the above, flip around and send the refresh token back immediately - THEN return the subsequent response only.

I do not like the second – slower response, more load. BUT

  • I was wondering if masquerading the above response as a refresh token may have some unseen side-effect.

Personally, I prefer not to do either – but the request is from higher up the pecking order.

1 Like
2

Simple extract variable (JSONPath) and assign using set should help respond only refresh token.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables async="false" continueOnError="false" enabled="true" name="extract-token-response">
  <DisplayName>Extract-TokenResponse</DisplayName>
  <JSONPayload>
   
  <Variable name="refreshToken">
  <JSONPath>$.refresh_token</JSONPath>
  </Variable> 
   
  </JSONPayload>
</ExtractVariables>
3

It does not make sense to return only a refresh token. The refresh token is only useful for getting an access token. If you don’t send back at least the access token, then the client app will not be able to invoke any APIs. I may be misunderstanding your plan… “send the refresh token back immediately - THEN return the subsequent response only.” I don’t understand exactly how that would work. The API Proxy can send back just one response to the request-for-token.

When I want to groom the token response, I use JavaScript. This code ought to be pretty clear.

// groomTokenResponse.js
// ------------------------------------------------------------------
//
// Tweaks the generated OAuth token response.

var b1 = JSON.parse(response.content),
    propertiesToRemove = ['status', 'refresh_token_status',
                           "refresh_token_expires_in", "client_id",
                          'token_type', 'organization_name', 
                          'scope', 'application_name', 
                          'api_product_list_json',
                          'api_product_list',
                          'refresh_count', 'developer.email'];

if (b1.access_token) {
  propertiesToRemove.forEach(function(item){
    delete b1[item];
  });

  // pretty-print the resulting JSON
  context.setVariable('response.content', JSON.stringify(b1, null, 2));
}

This is all just in-memory manipulation, so it will be fast. The result might be:

{
  "access_token" : "hsdisufhkjsdhdskj",
  "refresh_token" : "ajqq3673yehjhekhs"
}

Obviously if you are sending only 2 properties back it might be simpler to just do this:

var b1 = JSON.parse(response.content),
    newResponse;

if (b1.access_token) {
  newResponse = { access_token: b1.access_token,
       refresh_token : b1.refresh_token } ;

  // pretty-print the resulting JSON
  context.setVariable('response.content', JSON.stringify(newResponse, null, 2));
}