oauthapigeeapigee-baas

apigee access tokens with apigee as identity provider


I've been using apigee's baas recently and also looking at edge. I know that if I call my baas/token endpoint with a users name and password I can obviously get a valid access token back for a user. However this doesn't have a refresh token and the user would have to sign in again depending on what the TTL is. Now I noticed in the apigee edge set-up and oauth policies that you can get access to refresh tokens but I can't figure out how to set this up with apigee BAAS as my identity provider. I've successfully created a new oauth proxy. First I extract the username and password from the request. I then assign these to new service callout that hits my BAAS. This successfully passes back the correct user details and a valid BAAS access token.

At this point I use a standard GenerateAccessToken policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-1">
<DisplayName>OAuth v2.0 1</DisplayName>
<FaultRules/>
<Properties/>
<Attributes/>
<Operation>GenerateAccessToken</Operation>
<ExpiresIn>8640000</ExpiresIn>
<SupportedGrantTypes>
  <GrantType>password</GrantType>
</SupportedGrantTypes>

<GrantType>grant_type</GrantType>
<UserName>username</UserName>
<PassWord>password</PassWord>
<GenerateResponse enabled="true"/>

</OAuthV2>

all the variables here are set correctly. But I also have to set a basic authorization header. This header is based on the base64 encoded client_id and client string associated with my app in edge. However the access token that then gets returned from here doesn't work if I try to call a BAAS endpoint (Even when proxied through edge) and the "user" details that are returned with this relate to the user associated with the client_id provided, not the user who's username and password were submitted (I know I can mash-up the response from my service callout, but this is more about access_tokens rather than the user data). I get why this is, as obviously the access_tokens are issued for different resources, but I thought this set-up would almost "manage" this behind the scenes. Has anybody managed to get refresh tokens set-up when using apigee BAAS as the identity provider? Or am I barking up the wrong tree?

Thanks


Solution

  • Take a look at the sample proxies at https://github.com/apigee/api-platform-samples/tree/master/sample-proxies/advanced-api-services and see if that helps... the sample stores the BaaS key/secret as attributes on the Apigee Edge Developer object (fine for a sample, but admittedly not a great production practice) but you can just as easily store these in Apigee's Secure Vault (http://apigee.com/docs/api-reference/api/vaults)

    At this time BaaS doesn't support refresh tokens.