Was this Helpful?

Learn how to enable retrieval and revocation of OAuth 2.0 access tokens by end user ID, app ID, or both.

To learn how to make the API calls that perform these retrievals and revocations, see following Smart Docs:

To retrieve and revoke existing OAuth 2.0 access tokens by end user ID, an end user ID must be present in the existing access tokens. If you are not already capturing end user IDs in your access tokens, this document will tell you how to configure your OAuth 2.0 policies to do this. You will then be able to retrieve and revoke any newly generated OAuth 2.0 access tokens by end user ID.

Enable an org to support this feature

This feature must be enabled for each org that you want to support this feature.

Contact Apigee Support to have them update your org.

Provide oauth2 Resource Permissions to opsadmin and orgadmin Roles

Only your orgadmin and opsadmin roles should be given permissions to make these retrieve (get) and revoke (put) calls to the oauth2 resource based on end user ID or app ID.

You can use the Get Permission for a Single Resource API call to see which roles have get and put permissions for the oauth2 resource.

If you need to add or remove any permissions, contact Apigee Support to have them perform the updates.

Copy existing OAuth 2.0 access tokens to your Cassandra nodes

In this task, copies of existing OAuth 2.0 access tokens in impacted orgs will be copied and stored in your Cassandra nodes. This procedure will be performed on the Cassandra nodes for each of your Apigee Edge pods. This will allow the retrieve and revoke API calls to run against all of your OAuth 2.0 access tokens, existing and newly generated.

This task is optional if you do not need to retrieve and revoke existing OAuth 2.0 access tokens by end user ID.

Contact Apigee Support to have them perform the migration.

Add the oauth_max_search_limit property to your management server and message processor

In this task, the keymanagement.properties files for your management server and message processor will be updated to include this property: oauth_max_search_limit = 100. 100 is Apigee's recommended value, but can be set as you see fit.

Contact Apigee Support to have them make this addition.

Configure a GenerateAccessToken OAuth 2.0 policy to generate access tokens that include end user IDs

Perform this task to configure a GenerateAccessToken OAuth 2.0 policy to generate access tokens that include end user IDs. By including end user IDs in access tokens, you will then be able to perform retrievals and revokes by end user ID.

This task is optional if you do not need to retrieve and revoke OAuth 2.0 access tokens by end user ID.

To configure the policy to include an end user ID in an access token, you must tell the policy where to find the end user ID. To do this, add the AppEndUser element to the policy and set its value to a variable. See the example shown in bold below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-1">
   <DisplayName>OAuth 2.0.0 1</DisplayName>
   <FaultRules/>
   <Properties/>
   <Attributes/>
   <ExternalAuthorization>false</ExternalAuthorization>
   <Operation>GenerateAccessToken</Operation>
   <SupportedGrantTypes>
      <GrantType>client_credentials</GrantType>
   </SupportedGrantTypes>
   <GenerateResponse enabled="true"/> 
   <GrantType>request.queryparam.grant_type</GrantType> 
   <AppEndUser>request.header.appuserID</AppEndUser>
   <Attributes>
      <Attribute name="water">sea</Attribute>
      <Attribute name="air">fresh</Attribute>
   </Attributes>
   <ExpiresIn>960000</ExpiresIn>
   <Tokens/> 
</OAuthV2>

Define a variable that will locate the app end user ID in the location defined by your implementation. For example:

  • Use a form parameter variable: request.formparam.appuserID
  • Use a flow variable providing the app end user ID

Help or comments?

  • Something's not working: See Apigee Support
  • Something's wrong with the docs: Click Send Feedback in the lower right.
    (Incorrect? Unclear? Broken link? Typo?)