Search code examples
apioauth-2.0google-apiapigee

APIGEE external OAuth 2.0 Authorization

I tried to set up an API proxy and do OAuth 2.0 autentification with a Google API token. I got a Javascript for validating a google token and swiched to true, setting the flowvariable oauth.externel.authorization.status=true if the token ist valid. The result is always "errorcode":"oauth.v2.InvalidAccessToken".

The question is, how to set the flow Variable right to skip the validation from client_id and secret against the internal key store? Or how can i set the tokenvalidation url to https://www.googleapis.com/oauth2/v1/tokeninfo?access_token= ?

edit:

<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-1">
<DisplayName>OAuth v2.0 1</DisplayName>
<FaultRules/>
<Properties/>
<Attributes/>
<ExternalAuthorization>true</ExternalAuthorization>

<Operation>VerifyAccessToken</Operation>
<SupportedGrantTypes/>
<GenerateResponse enabled="true"/>
<Tokens/></OAuthV2>

Thanks.

Solution

  • The question is, how to set the flow Variable right to skip the validation from client_id and secret against the internal key store?

    <ExternalAuthorization> is used to support external authorization and it is optional. If it is enabled, a flow variable is expected with the name oauth_external_authorization_status set to either true or false based on the actual external authorization status.

    If the <ExternalAuthorization> is set to true and oauth_external_authorization_status flow variable is set to true, the client_secret will not be validated (but the client_id is still expected in the request and will be validated). You need to send in client_id as x-www-form-urlencoded. This is the default location to send in the client_id.

    Taking a step back, you may wish to replace Google's token with Apigee's all together. I recommend this approach because through Apigee-recognized tokens, you can leverage the rest of Apigee's objects/features. These objects/features include Developers, Apps (including client_id/secret), custom attributes, and Analytics.

    If you want to replace Apigee's access/refresh token, you can leverage Apigee's <ExternalAccessToken> and <ExternalRefreshToken> fields. When using these fields in generating the access token on Apigee, you can ensure Apigee recognizes the same access token Google produced.

    I posted an answer on a related question here that you may find helpful.