How to use API Product OAuth scopes with Edge Micro?

Google Cloud Apigee
1

I have defined 2 scopes for my API product (itself sitting on a single API proxy). I can get an Access-Token using the documented call equivalent to the ./edgemicro token get command-line operation:

curl -i -X POST "http://<org>-<env>.apigee.net/edgemicro-auth/token" -d '{"grant_type": "client_credentials", "client_id": "xxx", "client_secret": "yyy"}' -H "Content-Type: application/json"

I am trying to use that same JSON-based EdgeMicro API to get a scope-restricted access-token does not work (no scope restriction happens):

$ curl -i -X POST "http://<org>-<env>.apigee.net/edgemicro-auth/token" -d '{"grant_type": "client_credentials", "client_id": "xxx", "client_secret": "yyy", "scope": "urn:company:api:ems:send_email"}' -H "Content-Type: application/json"

Using the standard Edge API (using form data) is rejected possibly because EdgeMicro API proxies are not reachable via Edge API’s.

request:
[...]
    uri: 'http://hpcorp-cwp-dev.apigee.net/auth/token',
    auth: {
        user: client_id,
        pass: client_secret,
        sendImmediately: true
    },
    form: {
        grant_type: "client_credentials",
        scope: "urn:hp:api:ems:send_email"
    }
[...]
  body: '{"fault":{"faultstring":"Unable to identify proxy for host: default and url: \\/auth\\/token","detail":{"errorcode":"messaging.adaptors.http.configuration.ApplicationNotFound"}}}' }

So: how to make use of OAuth scopes with EdgeMicro? Do I need to define scope-restricted Developer Applications using http://docs.apigee.com/management/apis/post/organizations/%7Borg_name%7D/developers/%7Bdeveloper_email_or_id%7D/apps API?

2

Hello @Francois-Xavier KOWALSKI

The above API calls should work - the error you are receiving shows that the proxy is not deployed

can you check this URL - “http://hpcorp-cwp-dev.apigee.net/auth/token”,

this should be

http://hpcorp-cwp-dev.apigee.net/edgemicro-auth/token”, right?

Thanks,

1 Like
3

Right, thank you. Note that the token request JSON payload support the “scope:” property to ask for specific scopes (within the ones already granted to the calling Developer Application), but that property is not documented. Can we assume it will remain as-is?

4

Thanks @Francois-Xavier KOWALSKI, this is standard oauth API and it will accept scopes. We need to document this here - @Floyd Jones fyi

5

Has this documentation happened? We can’t see anything related to how edgemicro enforces that that access is restricted to the scopes authorized during the process of getting the access_token.