OAuth2.0 third party token registration failing

Google Cloud Apigee
1

When registering third-party tokens in Apigee, I’m facing a problem.

After making a Service callout to Azure AD and obtaining an access token for an authorization code, I want to store this access token in Apigee Edge so I can use it validating resource calls later.

Here’s the OAuth policy for this –

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-Store-External-Token">
    <DisplayName>OAuth-v20-Store-External-Token</DisplayName>
    <FaultRules/>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>true</ExternalAuthorization>
    <Operation>GenerateAccessToken</Operation>
    <GenerateResponse enabled="true"/>
    <ExternalAccessToken>internal.accesstoken</ExternalAccessToken>
    <StoreToken>true</StoreToken>
    <GrantType>request.formparam.grant_type</GrantType>
    <SupportedGrantTypes>
        <GrantType>authorization_code</GrantType>
    </SupportedGrantTypes>
    <Tokens/>
</OAuthV2>

The access token extracted from Azure AD SC response is in the variable called internal.accesstoken which is assigned to the

I’m getting the following error when this policy executes –

{

"ErrorCode": "invalid_request",

"Error": "Invalid Authorization Code"

}

I don’t understand this, as here I’m simply trying to add an access token to the Apigee data store and I’m not seeking to validate anything.

2

change the grant type to client credentials and it will work. Apigee doesn’t know about the auth code and you specified an auth code grant type. Either that or populate using something like this:

<ExternalAuthorizationCode>request.queryparam.external_auth_code</ExternalAuthorizationCode>

Take a look here for description: https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy#externalauthorizationcode-element

3

I changed it to below and still getting the same error

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-Store-External-Token">
    <DisplayName>OAuth-v20-Store-External-Token</DisplayName>
    <FaultRules/>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>true</ExternalAuthorization>
    <Operation>GenerateAccessToken</Operation>
    <GenerateResponse enabled="true"/>
    <ExternalAuthorizationCode>request.formparam.code</ExternalAuthorizationCode>
    <!--<ExternalAccessToken>external.accesstoken</ExternalAccessToken> -->
    <StoreToken>true</StoreToken>
    <GrantType>request.formparam.grant_type</GrantType>
    <SupportedGrantTypes>
        <GrantType>authorization_code</GrantType>
    </SupportedGrantTypes>
    <Tokens/>
</OAuthV2>
4

you typically run two policies. Take a look here at the two policies:

OA-StoreExternalAuthorizationCode.xml

OA-StoreToken.xml