Set OAuth V2 Info policy

About | Samples | Element reference | Flow variables | Schema  | Related topics


Updates the profile of an access token. For example, you may want to embed a tag that is unique to you business. You might need to embed a department name, a customer ID, or, more technically, a session identifier, in the access token.


This policy can be attached in the following locations. See the Samples for specific attachment guidance in different situations.

ProxyEndpoint TargetEndpoint
    PreFlow Flow PostFlow PreFlow Flow PostFlow    
    PostFlow Flow PreFlow PostFlow Flow PreFlow    


Below is an example policy used to update an OAuth 2.0 access token. The example below locates the access token on the request message by looking for a query parameter called access_token. When an access token is presented by a client app, the policy below will locate the access token in the query parameter. It will then update the access token's profile in two ways: it will added a property called to the profile. It will also modify the access token's scope property to the value READ, WRITE.

<SetOAuthV2Info name="SetOAuthV2Info"> 
  <AccessToken ref="request.queryparam.access_token"></AccessToken>
    <Attribute name="" ref="request.queryparam.department_id"></Attribute>
    <Attribute name="scope" ref="">READ, WRITE</Attribute>

If an attribute already exists in the access token profile, then it will be updated with the new value in the policy. If an attribute does not exist, then the attribute will be added to the access token's profile.

Element Reference

The element reference describes the elements and attributes of the AssignMessage policy.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SetOAuthV2Info async="false" continueOnError="false" enabled="true" name="SetOAuthV2Info-1">    
    <DisplayName>Set OAuth v2.0 Info 1</DisplayName>
    <AccessToken ref="request.queryparam.accessToken"></AccessToken>

<SetOAuthV2Info> attributes

<SetOAuthV2Info async="false" continueOnError="false" enabled="true" name="Set-OAuth-v20-Info-1">
Attribute Description Default Presence

Set to true to specify that the policy should be run in a thread pool different than the pool servicing the request/response flow. Default is false.

Note: This setting is only used for for internal optimization. Contact Apigee support at the Support Portal for more information.

false Optional

Most policies are expected to return an error when a failure occurs (for example, when a Quota is exceeded). By setting this attribute to true, Flow execution continues on failure.

false Optional
enabled Determines whether a policy is enforced or not. If set to false, a policy is 'turned off', and not enforced (even though the policy remains attached to a Flow). true Optional

The internal name of the policy. This name is referenced in Step elements to attach the policy to a Flow.

Note: Characters you can use in the name are restricted to: A-Z0-9._\-$ %. The Management UI enforces additional restrictions, such as automatically removing characters that are not alphanumeric.

N/A Required

<DisplayName> element

A natural-language name that labels the policy in the management UI proxy editor. If omitted, the policy name attribute is used.

<DisplayName>SetOAuthV2Info 1</DisplayName>
Default: Policy name attribute value.
Presence: Optional
Type: String

<AccessToken> element

Identifies the variable where the access token is located. For example, if the access token is attached to request message as a query parameter, specify request.queryparam.access_token.

 <AccessToken ref="request.queryparam.access_token"></AccessToken>
Default: N/A
Presence: Required
Type: String


Attribute Description Default Presence

An access token variable. Typically, retrieved from a flow variable.

N/A Optional

<Attributes> element

A set of attributes in the access token profile that will be modified or augmented.

Default: N/A
Presence: Required
Type: N/A

<Attributes>/<Attribute> element

An individual attribute to update.

The name attribute identifies the property of the access token profile to be updated. For example, to modify the access token's scope property, specify scope as the value of the name attribute.

The ref attribute specifies either variable or a static setting whose value will be used as the value of the access token profile property that will be updated. For example to update the attribute scope with the value READ, WRITE:

    <Attribute name="" ref="request.queryparam.department_id"></Attribute>
    <Attribute name="scope" ref="">READ, WRITE</Attribute>
Default: N/A
Presence: Optional
Type: N/A


Attribute Description Default Presence
name The name of the profile attribute to add or change. N/A  

The value to assign to the profile attribute.

N/A Optional

Usage notes

Use the policy when you need tokens to be updated at runtime, such as at the time when the token or code is generated by Apigee Edge.

Apigee Edge generates and distributes OAuth access tokens to apps. Edge stores those access tokens and uses them to authorize consumer apps. Some other types of OAuth tokens are also generated by Edge. These include refresh tokens and authorization codes.

When Edge generates these OAuth artifacts, it also a generates 'profile' that contains metadata related to the token or code. For example, the default access token profile contains name/value pairs that define expiration time, the associated app and developer, and so on.

The JSON representation of an Edge access token looks like the following:

  "issued_at" : "1372170159093",
  "application_name" : "ccd1803b-b557-4520-bd62-ddd3abf8e501",
  "scope" : "READ",
  "status" : "approved",
  "api_product_list" : "[FreeProduct]",
  "expires_in" : "3599",
  "" : "",
  "organization_id" : "0",
  "refresh_token" : "82XMXgDyHTpFyXOaApj8C2AGIPnN2IZe",
  "client_id" : "deAVedE0W9Z9U35PAMaAJYphBJCGdrND",
  "access_token" : "shTUmeI1geSKin0TODcGLXBNe9vp",
  "organization_name" : "apifactory",
  "refresh_count" : "0"

In some situations, you will need to update the profile of an access token. For example, you may want to embed a tag that is unique to you business. You might need to embed a department name, a customer ID, or, more technically, a session identifier, in the access token.

There are two ways to do this: Using an API call or using the SetOAuthV2Info policy. You can call the Edge management API to directly update the access token's profile. See the API documentation for the Update Access Token method.

Flow variables

On success, the following flow variables will be set:

  • oauthv2accesstoken.{policyName}.access_token
  • oauthv2accesstoken.{policyName}.client_id
  • oauthv2accesstoken.{policyName}.refresh_count
  • oauthv2accesstoken.{policyName}.organization_name
  • oauthv2accesstoken.{policyName}.expires_in
  • oauthv2accesstoken.{policyName}.refresh_token_expires_in
  • oauthv2accesstoken.{policyName}.issued_at
  • oauthv2accesstoken.{policyName}.status
  • oauthv2accesstoken.{policyName}.api_product_list
  • oauthv2accesstoken.{policyName}.token_type
  • oauthv2accesstoken.{policyName}.{custom_attribute_name}

On failure, following variable will be set:

  • oauthv2accesstoken.{policyName}.failed: true


Each policy type is defined by an XML schema (.xsd). For reference, policy schemas are available on GitHub.

Related topics

Help or comments?

  • Something's not working: See Apigee Support
  • Something's wrong with the docs: Click Send Feedback in the lower right.
    (Incorrect? Unclear? Broken link? Typo?)