1

I have an oAuth Provider which uses Authentication URL. In some cases, my Authentication URL returns "non-200" with meaning messages e.g. incorrect username, incorrect password, user locked etc. I wonder how to pass the meaningful message from Authentication URL to the client who is requesting the token via API (oauth2/token)?? I have tried many ways, the API Connect always results 401 - invalid grant only.

Here is my oAuth Provider Code

x-ibm-configuration:
  testable: true
  enforced: true
  phase: realized
  oauth2:
    client-type: confidential
    scopes:
      weather: Weather Information
      openid: Enable OIDC
    grants:
      - password
    identity-extraction:
      type: basic
    authentication:
      x-ibm-authentication-url:
        url: 'https://8hxovobj7g.execute-api.eu-west-2.amazonaws.com/Prod/auth'
    authorization:
      type: authenticated
    access-token:
      ttl: 1500
    refresh-token:
      count: 2048
      ttl: 2682000
  gateway: datapower-gateway
  assembly:
    execute:
...
...

when authen fail due to incorrect username, the authentication URL return

401 Unauthorized

{
    "error": "incorrect username"
}

However, when I use postman to post a request to API Connect Gatwatway to the oAuth Provider (path: /oauth2/token)

if correct username password (authen URL user registry return 200-OK, I will get

{
    "token_type": "bearer",
    "access_token": "AAIkNTU4M2RlMzktODY1NS00ZDQ1LTgyMjctODEyMDM4MDUzMTE2m7lBYXfx73OVPONAHoLT5VNdtSVD40Hu-M3nAQPu6wdviOxcIfbsOXBwt-Iy8EAgLzuATlZB7RBME_U5Ymd5fDkRTwy05G9zGmV7mIkawaELtiOj4xdzQr7Vn-indlv-y1NFEjvRv2VrK0d3TOqZnTEj5heDdY7Q0X9BFeydV4MtS-gCpnj-9l6TU3XqyeiK5hGnBZkZRAWOIskLm4KCyf8n_mnsi42vN9GLxlxoO9EmuHAwXOxr_aocKaaVlLKK5vDMHBRws2Vguqk3eVuoh9EnkRZvjbTurmW57bCgX3nMTd6MwcEYFkAGh-cOcEDyydZR6BI_pLuwaUM9RN8Vnb7EATQjzW2d_eHKQyjShcyM0TqxzhYq3q90fLfJLo08WxDgTFaKpGHA6qoZmUpYRLeyyImhOPtyd9p1l9z87g52duHbL1cyVGErHktTVpeXsmIRtn-QTTvI4jWmjxPZnSYj_rEeR9S8QAxYpHSEPmJQQmsjISf2SIRLABwuhG9dKyrrzs3UTotVyIotxmJjc9lfEsEtDTz9Ej--yQFw97ESHCVEvOkifeyIJ9F5MyPFh7fMEoGGwyDmWEfZSYRpkLg4_ib3dbjkGAuthiwjdA0",
    "metadata":
...
}

if incorrect username/ password (authen URL user registry return 401-Unauthorized with response-body (error message), I will get

401-Unauthorized 

{
    "error": "invalid_grant"
}

The Authentication URL is custom made. I have tried to make different returns in authentication URL (different http response code/ body/ headers) which all cannot affect the end-user's oauth's oauth/token result which always return the msg "invalid grant". what I really want to pass the authentication URL result message to the end-users to let the users know what is wrong such as incorrect username

Thanks for your kindly help

Ericson
  • 11
  • 3
  • "I have tried many ways" - but what have you tried? If you show your code /config we can point out what's wrong. – Zydnar Jan 09 '20 at 12:20
  • @Zydnar I have updated and added some what I have configured and scenario detail. any idea? Thanks so much for your help! – Ericson Jan 10 '20 at 02:30

1 Answers1

1

Unfortunately, it seems that in APIC v5 it is not possible to adjust OAuth error based on the response from Authentication URL call.

You can check DataPower XSLT code which handles this case (local:/isp/aaa-ldap-lib.xsl) to see more details. For any non-200 response code returned by an authentication URL, the same hardcoded error is produced. Only a response code is checked and all response information is discarded after that check - including a response code.

In the case of non-200 response code returned by authentication URL following XSLT code is executed:

<xsl:call-template name="error">
  <xsl:with-param name="code" select="'401'"/>
  <xsl:with-param name="reason" select="'Unauthorized'"/>
  <xsl:with-param name="challenge" select="'Basic'" />
</xsl:call-template>

That means it is not possible to distinguish between errors caused by different authentication URL responses in OAuth API assembly catch. You can catch UnauthorizedError in the created assembly in OAuth API but you would have no additional information based on which you could create custom error response.

However, if you are using on-premise APIC v5 and you have access to the DataPower Gateway you could:

  • change mentioned xsl file to propagate status code/reason from authentication URL (possibly using gateway extensions)
  • info necessary, add a custom assembly to your OAuth API where you would catch UnauthorizedError and add GatewayScript code to adjust behavior

GatewayScript code to adjust behavior in case of UnauthorizedError caught would be something like:

let p = session.name('policy');
let e = p.getVariable('fw/exception');
let statusCode = e.httpCode;
let statusReason = e.httpReasonPhrase;
...
Vedran Vidovic
  • 1,133
  • 6
  • 6