OAuth Generate Access Token Fails - Incase of External Authorization

Google Cloud Apigee
1 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateAccessToken">
    <DisplayName>GenerateAccessToken</DisplayName>
    <ExternalAuthorization>true</ExternalAuthorization>
    <ExternalAccessToken>request.queryparam.external_access_token</ExternalAccessToken>
    <StoreToken>true</StoreToken>
    <Operation>GenerateAccessToken</Operation>
    <SupportedGrantTypes>
        <GrantType>password</GrantType>
    </SupportedGrantTypes>
    <GrantType>request.queryparam.grant_type</GrantType>
    <GenerateResponse enabled="true"/>
</OAuthV2>

I have set “oauth_external_authorization_status” to true & trace confirms same. Above policy fails to generate access token & ends up with below error.

{“ErrorCode” : “invalid_client”, “Error” :“Client identifier is required”}

Not sure what i am missing here… Is it a bug in the platform ? Client credentials flow works perfectly fine with same request… password grant type with external authorization fails to generate access token

1 Like
2

Have you tried passing in the Client Identifier ? It is an element, sibling to GrantType.

  ...
  <GrantType>request.queryparam.grant_type</GrantType>
  <ClientId>flow.variable.here</ClientId> <!-- Optional -->
  ...
3

@Dino , I have tried that too… Doesn’t work…

4

@Anil Sagar What is the request you are making ? You should be doing something like this:

curl -v [http://myorg-test.apigee.net/v1/oauthv2/access_to](http://myorg-test.apigee.net/v1/oauthv2/access_to). 

-H "Content-Type: application/x-www-form-urlencoded"
-d 'grant_type=password&username=hello&password=world&client_id=${key}'

You don’t need to specify:

<GrantType>request.queryparam.grant_type</GrantType>

As long as you have the oauth_external_authorization_status set to true and have the ExternalAuthorization set to true in the policy, it should work. A sample policy with externalAuthorization would look like this:

<OAuthV2 name="OauthV2Policy" continueOnError="true">
<SupportedGrantTypes>
         <GrantType>password</GrantType>
         <GrantType>client_credentials</GrantType>
         <GrantType>authorization_code</GrantType>
         <GrantType>implicit</GrantType>
</SupportedGrantTypes>
<GenerateResponse/>
<ExternalAuthorization>true</ExternalAuthorization>
</OAuthV2>
5

@arghya das

Yes, My request is exactly same as one you mentioned.. I tried with both client_id & removing GrantType tag.. Still same issue.. Do we have a working example of password granttype with external authorization ?

6

Make sure you are setting the oauth_external_authorization_status to true before the generateAccessToken policy is invoked. Here’s a working example from Diego, which is also linked to our docs: https://github.com/dzuluaga/apigee-tutorials/tree/master/apiproxies/musicapi-oauth-delegated-authentication

7

@arghya das , never mind it was an issue with sending the payload to the GenerateAccessToken policy.. Tested in a different proxy to find out root cause and it worked like as expected, it was issue with my proxy configuration.. Thank you ..

8

Hi I am also getting same issue ,how did you resolved can you tell me . I tried adding ClientId in the oauth policy and tried removing both clientID and GrantType.But still facing same issue. Acutally using in Response.To Regenerate the external token it is coming in the form of SessionID.