We are using GenerateAuthorizationCode in the response flow. When we set callback URL http://localhost:8000/callback the redirect works. When we set callback URL urn:ietf:wg:oauth:2.0:oob the actual HTTP redirect location gets truncated after urn:
HTTP/1.1 302 Found
Location: urn:?scope=123&state=xyz&code=abc
Content-Length: 0
Connection: keep-alive
Has anyone seen in the community encountered this issue? Is it possible to change the redirect location to the correct value of “application redirect url” after GenerateAuthorizationCode by using assign-message policy?
I have done this successfully with oob callback URLs. My AssignMessage looks like this:
<AssignMessage name='AssignMessage-AuthzCodeResponse'>
<DisplayName>AssignMessage-AuthzCodeResponse</DisplayName>
<Description>Assigns the response message for an /authorize call</Description>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<!-- see [https://apigeesc.atlassian.net/browse/BID-5589](https://apigeesc.atlassian.net/browse/BID-5589) -->
<AssignTo createNew='true' type='response'>response</AssignTo>
<Remove>
<Payload>true</Payload>
</Remove>
<Set>
<StatusCode>302</StatusCode>
<ReasonPhrase>Found</ReasonPhrase>
<Headers>
<!--
at this point, the rquest.formparam.scope holds the requested
scopes, separated by commas. The
oauthv2authcode.OAuthV2-GenerateAuthorizationCode.scope
variable holds the granted scopes separated by space.
-->
<Header name="Location">{oauthv2authcode.OAuthV2-GenerateAuthorizationCode.redirect_uri}?code={oauthv2authcode.OAuthV2-GenerateAuthorizationCode.code}&scope={request.formparam.scope}</Header>
</Headers>
</Set>
<!-- Set this flow variable to indicate the response has been set -->
<AssignVariable>
<Name>flowResponse.ready</Name>
<Value>true</Value>
</AssignVariable>
</AssignMessage>
Does this work for you?
And here’s a snap of the Trace UI showing this actually working:
Thanks for replying @Dino Yes it should work. Variable names in my flow are different and changing “&scope”. Also thank you a bunch for sharing the slides/code on generating JWT using JOSE4J from the conference. Sorry I missed it.
