ApiGee OAUTH Authorization

2
votes

I'm new in apigee. I need to make a callout in my proxy to fetch data from google fusion tables. FT Service require secure call using oath 2.0. I'm already made this workflow using custom proxy (without any OAUTH policy, and store token, refresh token and expiry in Key Value Map)

also I made js to calculate expiration time and condition callout to refresh token. I understand that this is not correct way but I still can't get a clue how to make this call using building Oauth policy. :( It's clear for me oauth process from google side but cant understand where i have store value and how to configure oauth as native way ...

I successfully deploy oauth-authcode example from github and get it work but when i change Default Target Endpoint URL on https://accounts.google.com/o/oauth2/auth and substitute my client_id i get error "Invalid client id : XXXXX.apps.googleusercontent.com. ClientId is Invalid".

Well as I understand the first issue is get Authorization code I have to make a call to google oauth like: 

https://accounts.google.com/o/oauth2/auth
?response_type=code
&redirect_uri={URL that obtain access code}
&client_id=XXXXX.apps.googleusercontent.com
&scope=https://www.googleapis.com/auth/fusiontables 
&access_type=offline
&approval_prompt=force
&[email protected]
&state=ANYSTATE

then google redirect authorization code to redirect_uri as 

{redirect_uri}?code=ACCESSCODE&state=ANYSTATE

well i make a proxy /oauth20 as a bakckend and point it as redirect_uri.

How to configure oauth policy on this end to store this code ?

I create product Fusion and add API Proxy '/oauth20' as Resources Also I created Developer App Fusion.

What url i have to populate as Callback URL in Developer App?

Which url I have to use as redirect url for oauth policy and how can I store client id and client secret and scope that I use for google? I can't edit Consumer Key and Consumer Secret in Developer app

Well my api proxy obtain Authorization code.

How to change this code to access token?

In my app i make POST : 

https://accounts.google.com/o/oauth2/token 
code={code} 
client_id={ClientID} 
client_secret={ClientSecret} 
redirect_uri=https://vatsenko-test.apigee.net/v1/oauth20/oauth/authorize
grant_type=authorization_code

and then extract token 

$.access_token 
$.refresh_token 
$.expires_in

is any way to manually configure oauth flow to get token ? (i mean hardcode client_id, client_secret,and code to fetch token and store it to apigee and then make only verifyaccesstoken policy in callout)

1
oauthproxyapigee

1 Answers

3
votes

Some of the confusion you are encountering is natural. This is especially true because you are using 2 OAuth systems (Google and Apigee's) together instead of using 1 on its own. That said, you can still get this to work out-- it will just take some design considerations.

The approach I'll take is to answer your questions as you wrote them, but you may also want to work with Apigee for further in-depth design discussions.

I successfully deploy oauth-authcode example from github and get it work but when i change Default Target Endpoint URL on https://accounts.google.com/o/oauth2/auth and substitute my client_id i get error "Invalid client id : XXXXX.apps.googleusercontent.com. ClientId is Invalid".

You'll need to use your client_id from Google's OAuth system in order leverage Google's OAuth system.

How to configure oauth policy on this end to store this code ?

Typically you would use a web server app to handle this code. If you wanted to use an API proxy to do the same, you could pass the authorization code in as query parameter (e.g., &code=XYZ). Your Apigee proxy would refer to the code as request.queryparameter.code.

What url i have to populate as Callback URL in Developer App?

The URL for Callback URL in Developer App should be the web server app callback URL. In your case, you stated you want to use an Apigee API proxy, so you should use that. This callback URL will need to match the URL that is passed along as the redirect_uri query parameter when you generate the authorization code on Apigee. If they don't match, you will get an error from Apigee. As you may have read in recent articles, this check has been in place for security reasons.

Which url I have to use as redirect url for oauth policy and how can I store client id and client secret and scope that I use for google? I can't edit Consumer Key and Consumer Secret in Developer app

As mentioned above, the redirect URI will need to be the same as the callback URL you set for the Developer app. I would advise to store Google's client_id and client_secret in a Key/Value Mapping. Then, when you call out to Google to retrieve their token, you can extract these values out of the Key/Value Mapping and use them in the header for Google to consume.

How to change this code to access token?

Let's take a step back and consider how Apigee's auth code and access tokens will fit into Google's auth code and access tokens.

For the Developer app to interface with Apigee, you'll want to ensure that Apigee can make sense of any generated auth codes and access tokens. For Apigee to further interface with Google's auth code grant type OAuth system, you'll want to store Google's auth code as an attribute in Apigee's auth code. You can achieve this through the <Attributes> field when you generate the auth code. When your Developer app interfaces with Apigee, the Developer app will send in the Apigee auth code that will then contain an attribute with Google's auth code. You can use getoauthv2info to extract attributes from the Apigee auth code. Then you can callout to Google using Google's own auth code that they recognize.

When you submit Google's auth code, you will receive Google access/refresh tokens in return. You will then want to consider whether you want to replace Apigee's access/refresh token with Google's... or not. This is a design consideration.

If you want to replace Apigee's access/refresh token, you can leverage Apigee's <ExternalAccessToken> and <ExternalRefreshToken> features. When using these fields in generating the access token on Apigee, you can ensure Apigee recognizes the same access token Google produced.

Alternatively, if the Google and Apigee token do not need to match, then you can store Google's access token and refresh token as attributes in Apigee's access token. In this way, when the Developer app interfaces with Apigee, it's Apigee's access/refresh tokens (and client_id and secret) that must be used. Then, we can look up Google's access token by accessing the Apigee access token attribute that you've stored. After VerifyAccessToken, you can access these attributes as accesstoken.<custom attribute>.

is any way to manually configure oauth flow to get token ? (i mean hardcode client_id, client_secret,and code to fetch token and store it to apigee and then make only verifyaccesstoken policy in callout)

As mentioned above, Key/Value Mapping will help you here. You can set the header information as required before you call out to Google. And as discussed prior, you can store Google's auth code in Apigee's auth code as an attribute.

Hope this helps. Feel free to reach out to our Support or Scrum Masters if a live session will help you more appropriately.