APIGEE external OAuth 2.0 Authorization

1
votes

I tried to set up an API proxy and do OAuth 2.0 autentification with a Google API token. I got a Javascript for validating a google token and swiched to true, setting the flowvariable oauth.externel.authorization.status=true if the token ist valid. The result is always "errorcode":"oauth.v2.InvalidAccessToken".

The question is, how to set the flow Variable right to skip the validation from client_id and secret against the internal key store? Or how can i set the tokenvalidation url to https://www.googleapis.com/oauth2/v1/tokeninfo?access_token= ?

edit:

<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-1">
<DisplayName>OAuth v2.0 1</DisplayName>
<FaultRules/>
<Properties/>
<Attributes/>
<ExternalAuthorization>true</ExternalAuthorization>

<Operation>VerifyAccessToken</Operation>
<SupportedGrantTypes/>
<GenerateResponse enabled="true"/>
<Tokens/></OAuthV2>

Thanks.

1
apioauth-2.0google-apiapigee
Can you provide the actual code you are using to do the auth with? Not a lot to go on here. - Oliver Matthews
I struggle with APIGEE API, if i try it without the APIGEE proxy everything works fine. Apigee policy are written in XML and its not much code but i´ll post it just a sek. - BTK
Are you trying to validate Googles access token using Apigee's Oauth policy (as opposed to Apigee minting a new token)? - Michael Bissell
Yes, sort of... my problem is, if i use a javascript Apigee continues to the page if the token is valid or not. Just throwing an exeption without catching it can interruped the process, but thats a ugly solution. So i found github.com/DinoChiesa/dpchiesa-elisp/blob/master/apigee.el line 667 where he explain how to trigger forwarding with a field Variable by setting ExternalAuthorization to true - BTK

1 Answers

2
votes

The question is, how to set the flow Variable right to skip the validation from client_id and secret against the internal key store?

<ExternalAuthorization> is used to support external authorization and it is optional. If it is enabled, a flow variable is expected with the name oauth_external_authorization_status set to either true or false based on the actual external authorization status.

If the <ExternalAuthorization> is set to true and oauth_external_authorization_status flow variable is set to true, the client_secret will not be validated (but the client_id is still expected in the request and will be validated). You need to send in client_id as x-www-form-urlencoded. This is the default location to send in the client_id.

Taking a step back, you may wish to replace Google's token with Apigee's all together. I recommend this approach because through Apigee-recognized tokens, you can leverage the rest of Apigee's objects/features. These objects/features include Developers, Apps (including client_id/secret), custom attributes, and Analytics.

If you want to replace Apigee's access/refresh token, you can leverage Apigee's <ExternalAccessToken> and <ExternalRefreshToken> fields. When using these fields in generating the access token on Apigee, you can ensure Apigee recognizes the same access token Google produced.

I posted an answer on a related question here that you may find helpful.