Hi, I noticed 2 things in my refresh token policy
- it doesn’t accept variables in fields like
<GrantType>{myJsVariable}</GrantType>
but it works with
<GrantType>request.queryparam.grant_type</GrantType>
- i have “generate response true” when this generates the response. it doesn’t execute next policies. it just skips the whole api with the generated response. is this intended ? (GenerateTokenPolicy lets you generate a response so i can massage it in a JS policy. but not refresh policy.
<GenerateResponse enabled="true"/>
Any thoughts here ?
if my thoughts are correct then this is an issue for me and it forces me to create an api wrapper for refresh-token so I can
-
pass queryparams
-
so I can grab the response in a caller api. so i can massage it.
Thanks
I know this is a really old question, but what you describe surprises me, and so I thought I’d investigate.
For item #1: correct. Don’t surround the variable name with curly braces.
For item #2:
What I found: it works for me. I have this flow:
<Flow name="token">
<!--
The app uses this request to exchange the code for a token,
or to refresh a token.
Example:
Authorization: Basic base64(client_id:client_secret)
POST /devjam3/oauth2-ac/token
grant_type=authorization_code
&code=q2oI7b2d
&redirect_uri=http://dinochiesa.github.io/openid-connect/callback-handler.html
-or-
Authorization: Basic base64(client_id:client_secret)
POST /devjam3/oauth2-ac/token
grant_type=refresh_token&refresh_token=sksious93e93
-->
<Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "POST")</Condition>
<Description/>
<Request>
<Step>
<Name>RF-InvalidGrantType</Name>
<Condition>NOT (request.formparam.grant_type = "authorization_code" OR request.formparam.grant_type = "refresh_token")</Condition>
</Step>
</Request>
<Response>
<Step>
<Name>OAuthV2-GenerateAccessToken</Name>
<Condition>request.formparam.grant_type = "authorization_code"</Condition>
</Step>
<Step>
<Name>OAuthV2-RefreshAccessToken</Name>
<Condition>request.formparam.grant_type = "refresh_token"</Condition>
</Step>
<Step>
<Name>JS-GroomTokenResponse</Name>
</Step>
</Response>
</Flow>
And what I found is that the JS-GroomTokenResponse policy executes. Any other policy will execute, also.
The OAuthV2-RefreshAccessToken policy looks like this:
<OAuthV2 enabled='true' name='OAuthV2-RefreshAccessToken'>
<Operation>RefreshAccessToken</Operation>
<ExpiresIn>3600000</ExpiresIn>
<RefreshTokenExpiresIn>86400000</RefreshTokenExpiresIn>
<ExternalAuthorization>false</ExternalAuthorization>
<!-- grant_type must be "refresh_token" -->
<GrantType>request.formparam.grant_type</GrantType>
<RefreshToken>request.formparam.refresh_token</RefreshToken>
<SupportedGrantTypes/>
<GenerateResponse/>
</OAuthV2>
It just works. You can see a full working example here.
I think you must have something exceptional. Maybe your RefreshAccessToken policy is not attached in the response flow?
Thank you so much @Dino-at-Google, I think what was different for me was that I was trying to use GenerateResponse true (i think) and also that I was trying to use {JS} variables as input. Ill use this info at some point to retry to have the refresh token internally to my api
1 Like