2

I'm creating my own OAuth 2.0 endpoints and using Apigee's OAuth 2.0 Policies to generate and manage authorization codes and tokens. The documentation specifies all possible error codes and error descriptions when OAuth 2.0 policies fail (at http://apigee.com/docs/gateway-services/api/oauth-error-code-reference), however it does not say which flow variables will contain the corresponding error code and error description. Documentation at http://apigee.com/docs/api-services/api/oauth-flow-variables does not help either... it just explains the flow variables set on success.

I DON'T want to use the GenerateResponse tag in my OAuth policies, so I need to access the error code and error description in case the OAuth policy fails.

What variables are set when an OAuth policy fails?? how to know that an OAuth policy has failed?

so far, I know that variable fault.name seems to have the error code, but the error description is not in error.message variable.

Sample Policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-Exchange-Code-with-Token">
  <DisplayName>OAuth Exchange Code with Token</DisplayName>
  <Operation>GenerateAccessToken</Operation>
  <!-- This is in millseconds, so expire in an hour -->
  <ExpiresIn>3600000</ExpiresIn>
  <ReuseRefreshToken>false</ReuseRefreshToken>
  <RefreshTokenExpiresIn>3600000</RefreshTokenExpiresIn>
  <SupportedGrantTypes>
    <GrantType>authorization_code</GrantType>
  </SupportedGrantTypes>
  <GenerateResponse enabled="false"/>
</OAuthV2>

if the above policy fails, since <GenerateResponse enabled="false"/> is disabled, I like to produce a response myself in a <FaultRules> and access the actual error description such as "Client Credentials required". But there is no flow variables to access the error description.

rcnavas
  • 59
  • 1
  • 9

1 Answers1

1

An OAuth policy, if set with the attribute continueOnError="false", will abort processing and jump to the FaultRules when an error occurs.

Using the following OAuthV2 policy to verify the token (note GenerateResponse is false and continueOnError is false):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyToken">
    <DisplayName>VerifyToken</DisplayName>
    <Attributes/>
    <ExternalAuthorization>false</ExternalAuthorization>
    <Operation>VerifyAccessToken</Operation>
    <SupportedGrantTypes/>
    <GenerateResponse enabled="false"/>
    <Tokens/>
</OAuthV2>

When no access token is presented, processing jumps to the FaultRules. In a FaultRule I was able to access the following variables:

fault.name = "InvalidAccessToken"
fault.category = "Step"
fault.subcategory = "Execution"
error.state = PROXY_REQ_FLOW
error.content = {"fault":{"faultstring":"Invalid access token","detail":{"errorcode":"oauth.v2.InvalidAccessToken"}}}

So even with GenerateResponse as false, you could use JSONPath to extract $.fault.faultstring and $.fault.detail.errorcode.

Mike Dunker
  • 1,950
  • 15
  • 17
  • Thanks, but I still have the same problem. For example, in a `GenerateAccessToken` policy for *GrantType* `authorization_code` when the client does not present a valid `client_secret`, the Generated Response will be like: `{"ErrorCode":"invalid_client","Error":"Client credentials are required"}` However the `fault.name`, `error.message`, `error.content` ALL will contain just: `invalid_client` – rcnavas Aug 13 '14 at 18:35
  • Can you post the exact GenerateAccessToken policy configuration and input you are using so I can test using that? (without real hostnames, usernames, passwords, etc.) – Mike Dunker Aug 13 '14 at 19:37