3

We're making requests for bearer tokens using client_credentials OAuth 2 grant flow with Apigee. According to the spec:

4.4.2.  Access Token Request

   The client makes a request to the token endpoint by adding the
   following parameters using the "application/x-www-form-urlencoded"
   format per Appendix B with a character encoding of UTF-8 in the HTTP
   request entity-body:

   grant_type
         REQUIRED.  Value MUST be set to "client_credentials".

If we make a call however we get an error like this:

{"ErrorCode" : "invalid_request", "Error" :"Required param : grant_type"}

It seems that using Apigee we have to send grant_type as a query parameter.

Why is this? We have clients of Apigee that are unable to use OAuth libraries in their language of choice because of the way that Apigee deals with OAuth 2, and it would be good to know if there is by-design or not.

In addition it doesn't seem like it supports grant_type in the post body and sending id and key using basic auth.

Community
  • 1
  • 1
Michael
  • 62
  • 11

2 Answers2

0

Turns out you do not need to send in grant_type as a query parameter. There is a <GrantType> element in your GenerateAccessToken policy that takes in a variable. For instance, I can use the following:

<OAuthV2 name="GenerateAccessToken">
  <DisplayName>GenerateAccessToken</DisplayName>
  <FaultRules/>
  <Properties/>
  <!-- This policy generates an OAuth 2.0 access token using the password grant type -->
  <Operation>GenerateAccessToken</Operation>
  <!-- This is in millseconds -->
  <ExpiresIn>1800000</ExpiresIn>
  <Attributes/>
  <SupportedGrantTypes>
    <GrantType>password</GrantType>
  </SupportedGrantTypes>
  <GenerateResponse enabled="false">
   <Format>FORM_PARAM</Format>
  </GenerateResponse>
  <GrantType>user.grant_type</GrantType>
  <UserName>request.header.username</UserName>
  <PassWord>request.header.password</PassWord>
</OAuthV2>

In this example, the grant_type is passed in as user.grant_type. But user.grant_type can be anything-- header, query param, form param, or even a hard-coded value. This way, you (the developer) are provided maximum flexibility on how you want to send in the grant_type.

akoo1010
  • 606
  • 3
  • 9
0

Can you paste the exact API call that you are making (obviously you should obfuscate the key and secret)?

I'd like to understand what you say when you say "Apigee" -- it could mean API BAAS (https://api.usergrid.com) or a proxy that you defined using API services and attached an OAuth 2 policy to, or something else?

Greg Brail
  • 66
  • 1
  • Hi Greg, this is a proxy we've attached an OAUthV2 policy to to generate an access token. I'm looking at the policy now and I think @akoo1010 might be right as our policy has: `request.queryparam.grant_type` inside it. I'm going to try his suggestion and will post back. Thanks – Michael Sep 01 '14 at 06:31