Oauth2.0 Access Token Verification throws “Invalid API call as no apiproduct match found” error

Google Cloud Apigee Knowledge Hub
1

When using Oauth2.0, one of the errors observed is:

{“fault”:{“faultstring”:“Invalid API call as no apiproduct match found”,“detail”:{“errorcode”:“keymanagement.service.InvalidAPICallAsNoApiProductMatchFound”}}}

I would like to explain here a few possible causes for this error with the help of an example.

Example

Let’s say we have the Environment, API Proxies, Products, Developer Apps and Developer setup in an org “sample” as shown below:

Environments

test

prod

API Proxies

API_One deployed in prod and test environments

API_Two deployed in prod and test environments

Products

Product_One associated with API_One. Product_One is enabled for test environment only.

Product_Two associated with API_Two. Product_Two is enabled for prod environment only.

DeveloperApps

App_One associated with Product_One

App_Two associated with Product_Two

Developers

Dev_One associated with App_One

Dev_Two associated with App_Two

With this setup, we can get the “Invalid API call as no apiproduct match found” error with the following scenarios listed below:

Scenario 1

  • Generate the access token by using the Client_ID/Client_Secret from “App_Two”
  • Run the API call for “API_One” with the above generated access token

In this scenario, we are using the access token generated for App_Two that is linked with Product_Two /API_Two to run the API call for API_One. This is a clear mismatch.

Scenario 2

  • Generate the access token by using the Client_ID/Client_Secret from “App_One”
  • Run the API call for “API_One” with the above generated access token for prod environment

In this scenario, we are using the access token generated for App_One in prod environment. However, the App_One is associated with Product_One, which is enabled only for test environment for the APIProxy “API_One”. This is a clear mismatch.

In summary, here are a few possible causes for the error “Invalid API call as no apiproduct match found" when using OAuth2.0

  1. Access token generated with Client_ID/Client_Secret from a DeveloperApp-Product unrelated to an API Proxy
  2. Access token generated with Client_ID/Client_Secret from a Product-DeveloperApp unrelated to environment in which the API call is tested

Solution

To avoid the error“Invalid API call as no apiproduct match found", we need to

  • Generate the access token using the Client_ID/Client_Secret from the DeveloperApp-Product associated with a specific API Proxy
  • Use the generated access token to run the API call for the specific API Proxy in the specific environment (s) in which the Product is enabled.

In the example quoted above, we should do the following to avoid the error“Invalid API call as no apiproduct match found"

  • Generate the access token using the Client_ID/Client_Secret from the DeveloperApp “App_One”.
  • App_One is associated with Product_One (enabled in test environment), which is further associated with API_One proxy.
  • Run the API call with the generated access for API_One proxy only in test environment.
3 Likes
2

This same error will also be seen in cases where the API Product approval type is set to ‘Manual’ and the Product has not been approved in the App yet.

So Basically :

  1. Create Proxy, secure it with OAuth2.0 VerifyAccessToken

  2. Create Product, add the proxy to generate token and the api proxy to be secured (created in 1). Set the approval as ‘Manual’

  3. Create App, add above product to app.

  4. Generate Token.

  5. Send request to protected API Proxy with token genrated in (4).

  6. Get ‘`InvalidAPICallAsNoApiProductMatchFound’```

  7. Go to App->Edit->Approve the product->Save

  8. Send request to protected API Proxy with token genrated in (4)

  9. Watch in satisfaction/frustration/relief as OAuth token verification is successful

1 Like