OAuth flow variables

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation. info

Apigee Edge encapsulates OAuth 1.0a and OAuth 2 capabilities in a set of policies. The life cycle management of tokens and secrets, including generation, validation, and storage, is managed by Apigee Edge on behalf of your backend services.

This document specifies the flow variables defined by OAuth policies. The variables can be used to implement custom behavior for OAuth flows. For OAuth usage, see OAuth.

OAuth 2.0 flow variables

The flow variables defined in this table are populated when the respective OAuth policies are executed, and hence are available to other policies or applications executing in the API proxy flow.

Verify access token policy

organization_name
organization_name
developer.id
developer.app.name
client_id
grant_type
token_type
access_token
accesstoken.{custom_attribute}
issued_at
expires_in
status
scope
apiproduct.name*
apiproduct.<custom_attribute_name>*

* API product variables

Sample policy:

<OAuthV2 name="VerifyAccessToken">
    <Operation>VerifyAccessToken</Operation>
    <Scope>space-separated-scopes</Scope>*
    <AccessToken>flow.variable</AccessToken>*        
    <AccessTokenPrefix>Bearer</AccessTokenPrefix>*
</OAuthV2>

Only bearer tokens are supported. MAC tokens are not supported.

By default, the access token must be passed in the Authorization HTTP request header.

For example:

"Authorization: Bearer {PlainText_AccessToken}"

Any flow.variable can be passed as:

HTTP Header: request.header.{variable_name}
Query parameter: request.queryparam.{variable_name}
Form parameter: request.formparam.{variable_name}

If the optional fields are not specified, the values are extracted per the OAuth 2.0 specification.

Generate authorization code policy

Variables set on success:

oauthv2authcode.{policy_name}.code
oauthv2authcode.{policy_name}.redirect_uri
oauthv2authcode.{policy_name}.scope
oauthv2authcode.{policy_name}.client_id

Sample policy:

<OAuthV2 name="GetAuthCode">
  <Operation>GenerateAuthorizationCode</Operation>
  <ExpiresIn>1000<ExpiresIn>
  <ResponseType>flow.variable</ResponseType>*
  <ClientId>flow.variable</ClientId>*
  <RedirectUri>flow.variable</RedirectUri>*
  <Scope>flow.variable</Scope>*
  <State>flow.variable</State>*
  <Attributes>*   
    <Attribute name=”1” ref=”flow.variable”>value1</Attribute>
    <Attribute name=”2” ref=”flow.variable”>value2</Attribute>
  </Attributes>
</OAuthV2>

* Optional

Any flow.variable can be passed as:

HTTP Header: request.header.{variable_name}
Query parameter: request.queryparam.{variable_name}
Form parameter: request.formparam.{variable_name}

If the optional fields are not specified, the values are extracted per the OAuth 2.0 specification.

Attribute values are derived dynamically from the specified flow variable, or statically using a default value in the policy.

If both are specified, flow variable takes precedence.

Generate access token policy for grant types authorization code, user credentials, and client credentials

Variables set on success:

oauthv2accesstoken.{policy_name}.access_token
oauthv2accesstoken.{policy_name}.token_type
oauthv2accesstoken.{policy_name}.expires_in
oauthv2accesstoken.{policy_name}.refresh_token

Sample policy:

<OAuthV2 name="GenerateAccessToken">
  <Operation>GenerateAccessToken</Operation>
  <ExpiresIn>1000<ExpiresIn>
  <SupportedGrantTypes>*
    <GrantType>authorization_code</GrantType>
    <GrantType>password</GrantType>
   <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>
  <GrantType>flow.variable</GrantType>* 
  <ClientId>flow.variable</ClientId>* 
  <RedirectUri>flow.variable</RedirectUri>* 
  <Scope>flow.variable</Scope>* 
  <AppEndUser>flow.variable</AppEndUser>* 
  <Code>flow.variable</Code>* 
  <UserName>flow.variable</UserName>* 
  <PassWord>flow.variable</PassWord>*
  <Attributes>*
    <Attribute name=”1” ref=”flow.variable”>value1</Attribute> 
    <Attribute name=”2” ref=”flow.variable”>value2</Attribute>  
  </Attributes>
</OAuthV2>

* Optional

Any flow.variable can be passed as:

HTTP Header: request.header.{variable_name}
Query parameter: request.queryparam.{variable_name}
Form parameter: request.formparam.{variable_name}

If the optional fields are not specified, the values are extracted per the OAuth 2.0 specification.

Attribute values are derived dynamically from the specified flow variable, or statically using a default value in the policy.

If both are specified, flow variable takes precedence.

Generate access token policy for Implicit grant type

Variables set on success:

oauthv2accesstoken.{policy_name}.access_token
oauthv2accesstoken.{policy_name}.token_type
oauthv2accesstoken.{policy_name}.expires_in
oauthv2accesstoken.{policy_name}.refresh_token

Sample policy:

<OAuthV2 name="GenerateAccessToken">
  <Operation>GenerateAccessTokenImplicitGrant</Operation>
  <ExpiresIn>1000<ExpiresIn>
  <ResponseType>flow.variable></ResponseType>*
  <ClientId>flow.variable></ClientId>*
  <RedirectUri>flow.variable></RedirectUri>*
  <Scope>flow.variable></Scope>*
  <State>flow.variable></State>*
  <AppEndUser>flow.variable</AppEndUser>*                                   
  <Attributes>*
    <Attribute name=”1” ref=”flow.variable”>value1</Attribute>
    <Attribute name=”2” ref=”flow.variable”>value2</Attribute>
  </Attributes>
</OAuthV2>

* Optional

Any flow.variable can be passed as:

HTTP Header: request.header.{variable_name}
Query parameter: request.queryparam.{variable_name}
Form parameter: request.formparam.{variable_name}

If the optional fields are not specified, the values are extracted per the OAuth 2.0 specification.

Attribute values are derived dynamically from the specified flow variable, or statically using a default value in the policy.

If both are specified, flow variable takes precedence.

Refresh access token policy

Variables set on success:

oauthv2accesstoken.{policy_name}.access_token
oauthv2accesstoken.{policy_name}.token_type
oauthv2accesstoken.{policy_name}.expires_in
oauthv2accesstoken.{policy_name}.refresh_token

Sample policy:

<OAuthV2 name="RefreshAccessToken">
  <Operation>RefreshAccessToken</Operation>
  <ExpiresIn>1000<ExpiresIn>
  <GrantType>flow.variable</GrantType>*
  <RefreshToken>flow.variable</RefreshToken>*
</OAuthV2>

* Optional

Any flow.variable can be passed as:

HTTP Header: request.header.{variable_name}
Query parameter: request.queryparam.{variable_name}
Form parameter: request.formparam.{variable_name}

If the optional fields are not specified, the values are extracted per the OAuth 2.0 specification.

Get client attributes policy

Sample policy:

<GetOAuthV2Info name="GetClientAttributes">
<ClientId ref="{variable_name}"/>
</GetOAuthV2Info>

Sample policy:

<GetOAuthV2Info name="GetClientAttributes">
  <ClientId>{client_id}</ClientId>
</GetOAuthV2Info>

Get access token attributes policy

Variables set on success:

oauthv2accesstoken.{policy_name}.access_token
oauthv2accesstoken.{policy_name}.scope
oauthv2accesstoken.{policy_name}.refresh_token
oauthv2accesstoken.{policy_name}.accesstoken.{custom_attribute_name}
oauthv2accesstoken.{policy_name}.developer.id
oauthv2accesstoken.{policy_name}.developer.app.name
oauthv2accesstoken.{policy_name}.expires_in
oauthv2accesstoken.{policy_name}.status

Sample policy:

<GetOAuthV2Info name="GetTokenAttributes">
  <AccessToken ref="{variable_name}"/>
</GetOAuthV2Info>

Sample policy:

<GetOAuthV2Info name="GetTokenAttributes">
<AccessToken>{access_token}</AccessToken>
</GetOAuthV2Info>

Get authorization code attributes policy

Sample policy:

<GetOAuthV2Info name="GetAuthCodeAttributes">
 <AuthorizationCode ref="{variable_name}"/>
</GetOAuthV2Info>

Sample policy:

<GetOAuthV2Info name="GetAuthCodeAttributes">
    <AuthorizationCode>{authorization_code}</AuthorizationCode>
</GetOAuthV2Info>

Get refresh token attributes policy

Sample policy:

<GetOAuthV2Info name="GetTokenAttributes">
  <RefreshToken ref="{variable_name}"/>
</GetOAuthV2Info>

Sample policy:

<GetOAuthV2Info name="GetTokenAttributes">
    <RefreshToken>{refresh_token}</RefreshToken>
</GetOAuthV2Info>

OAuth 1.0a flow variables

The flow variables defined in this table are populated when the respective OAuth policies are executed, and hence are available to other policies or applications executing in the API proxy flow.

Generate request token policy

Sample policy:

<OAuthV1 name="GenerateRequestToken">
  <Operation>GenerateRequestToken</Operation>
</OAuthV1>

Variables set on success:

oauth_token
oauth_token_secret
oauth_callback_confirmed
oauth_response
oauth_consumer_key
oauth_consumer_secret

Generate access token policy

Sample policy:

<OAuthV1 name="GenerateAccessToken">
  <Operation>GenerateAccessToken</Operation>
</OAuthV1>

Variables set on success:

oauth_token
oauth_token_secret
oauth_response
oauth_consumer_key
oauth_consumer_secret

Access token verification policy

Sample policy:

<OAuthV1 name="VerifyAccessToken">
  <Operation>VerifyAccessToken</Operation>
</OAuthV1>

Variables set on success:

oauth_token
oauth_token_secret
oauth_response
oauth_consumer_key
oauth_consumer_secret

Verify API key policy

Sample policy:

<GetOAuthV1Info name="VerifyApiKey">
  <OAuthConfig>{config_name}</OAuthConfig>*
  <APIKey ref="{variable_name}" />
</GetOAuthV1Info>

* Optional

Variables set on success:

oauth_consumer_key
oauth_consumer_secret

Verify consumer policy

Sample policy:

<GetOAuthV1Info name="VerifyConsumer">
  <OAuthConfig>{config_name}</OAuthConfig>*
  <ConsumerKey ref="{variable_name}" />
</GetOAuthV1Info>

* Optional

Variables set on success:

oauth_consumer_key
oauth_consumer_secret

Verify token policy

Sample policy:

<GetOAuthV1Info name="VerifyToken">
  <OAuthConfig>{config_name}</OAuthConfig>*
  <RequestToken ref="{variable_name}" />
</GetOAuthV1Info>

* Optional

Variables set on success:

oauth_token
oauth_token_secret