Was this helpful?

Apigee Edge encapsulates OAuth 1.0a and OAuth 2 capabilities in a set of policies. The life cycle management of tokens and secrets, including generation, validation, and storage, is managed by Apigee Edge on behalf of your backend services.

This document specifies the flow variables defined by OAuth policies. The variables can be used to implement custom behavior for OAuth flows. For OAuth usage, see OAuth.

OAuth 2.0 flow variables

The flow variables defined in this table are populated when the respective OAuth policies are executed, and hence are available to other policies or applications executing in the API proxy flow.

Verify access token policy
  • organization_name
  • organization_name
  • developer.id
  • developer.app.name
  • client_id
  • grant_type
  • token_type
  • access_token
  • accesstoken.{custom_attribute}
  • issued_at
  • expires_in
  • status
  • scope
  • apiproduct.name*
  • apiproduct.<custom_attribute_name>*

* API product variables

Sample policy:

<OAuthV2 name="VerifyAccessToken">
    <Operation>VerifyAccessToken</Operation>
    <Scope>space-separated-scopes</Scope>*
    <AccessToken>flow.variable</AccessToken>*        
    <AccessTokenPrefix>Bearer</AccessTokenPrefix>*
</OAuthV2>

Only bearer tokens are supported. MAC tokens are not supported.

By default, the access token must be passed in the Authorization HTTP request header.

For example:

"Authorization: Bearer {PlainText_AccessToken}"

Any flow.variable can be passed as:

  • HTTP Header: request.header.{variable_name}
  • Query parameter: request.queryparam.{variable_name}
  • Form parameter: request.formparam.{variable_name}

If the optional fields are not specified, the values are extracted per the OAuth 2.0 specification.

Generate authorization code policy
Variables set on success:
  • oauthv2authcode.{policy_name}.code
  • oauthv2authcode.{policy_name}.redirect_uri
  • oauthv2authcode.{policy_name}.scope
  • oauthv2authcode.{policy_name}.client_id

Sample policy:

<OAuthV2 name="GetAuthCode">
  <Operation>GenerateAuthorizationCode</Operation>
  <ExpiresIn>1000<ExpiresIn>
  <ResponseType>flow.variable</ResponseType>*
  <ClientId>flow.variable</ClientId>*
  <RedirectUri>flow.variable</RedirectUri>*
  <Scope>flow.variable</Scope>*
  <State>flow.variable</State>*
  <Attributes>*	
    <Attribute name=”1” ref=”flow.variable”>value1</Attribute>
    <Attribute name=”2” ref=”flow.variable”>value2</Attribute>
  </Attributes>
</OAuthV2>

* Optional

Any flow.variable can be passed as:

  • HTTP Header: request.header.{variable_name}
  • Query parameter: request.queryparam.{variable_name}
  • Form parameter: request.formparam.{variable_name}

If the optional fields are not specified, the values are extracted per the OAuth 2.0 specification.

Attribute values are derived dynamically from the specified flow variable, or statically using a default value in the policy.

If both are specified, flow variable takes precedence.

Generate access token policy for grant types authorization code, user credentials, and client credentials
Variables set on success:
  • oauthv2accesstoken.{policy_name}.access_token
  • oauthv2accesstoken.{policy_name}.token_type
  • oauthv2accesstoken.{policy_name}.expires_in
  • oauthv2accesstoken.{policy_name}.refresh_token

Sample policy:

<OAuthV2 name="GenerateAccessToken">
  <Operation>GenerateAccessToken</Operation>
  <ExpiresIn>1000<ExpiresIn>
  <SupportedGrantTypes>*
    <GrantType>authorization_code</GrantType>
    <GrantType>password</GrantType>
   <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>
  <GrantType>flow.variable</GrantType>* 
  <ClientId>flow.variable</ClientId>* 
  <RedirectUri>flow.variable</RedirectUri>* 
  <Scope>flow.variable</Scope>* 
  <AppEndUser>flow.variable</AppEndUser>* 
  <Code>flow.variable</Code>* 
  <UserName>flow.variable</UserName>* 
  <PassWord>flow.variable</PassWord>*
  <Attributes>*
    <Attribute name=”1” ref=”flow.variable”>value1</Attribute> 
    <Attribute name=”2” ref=”flow.variable”>value2</Attribute>  
  </Attributes>
</OAuthV2>

* Optional

Any flow.variable can be passed as:

  • HTTP Header: request.header.{variable_name}
  • Query parameter: request.queryparam.{variable_name}
  • Form parameter: request.formparam.{variable_name}

If the optional fields are not specified, the values are extracted per the OAuth 2.0 specification.

Attribute values are derived dynamically from the specified flow variable, or statically using a default value in the policy.

If both are specified, flow variable takes precedence.

Generate access token policy for Implicit grant type
Variables set on success:
  • oauthv2accesstoken.{policy_name}.access_token
  • oauthv2accesstoken.{policy_name}.token_type
  • oauthv2accesstoken.{policy_name}.expires_in
  • oauthv2accesstoken.{policy_name}.refresh_token

Sample policy:

<OAuthV2 name="GenerateAccessToken">
  <Operation>GenerateAccessTokenImplicitGrant</Operation>
  <ExpiresIn>1000<ExpiresIn>
  <ResponseType>flow.variable></ResponseType>*
  <ClientId>flow.variable></ClientId>*
  <RedirectUri>flow.variable></RedirectUri>*
  <Scope>flow.variable></Scope>*
  <State>flow.variable></State>*
  <AppEndUser>flow.variable</AppEndUser>*					
  <Attributes>*
    <Attribute name=”1” ref=”flow.variable”>value1</Attribute>
    <Attribute name=”2” ref=”flow.variable”>value2</Attribute>
  </Attributes>
</OAuthV2>

* Optional

Any flow.variable can be passed as:

  • HTTP Header: request.header.{variable_name}
  • Query parameter: request.queryparam.{variable_name}
  • Form parameter: request.formparam.{variable_name}

If the optional fields are not specified, the values are extracted per the OAuth 2.0 specification.

Attribute values are derived dynamically from the specified flow variable, or statically using a default value in the policy.

If both are specified, flow variable takes precedence.

Refresh access token policy
Variables set on success:
  • oauthv2accesstoken.{policy_name}.access_token
  • oauthv2accesstoken.{policy_name}.token_type
  • oauthv2accesstoken.{policy_name}.expires_in
  • oauthv2accesstoken.{policy_name}.refresh_token

Sample policy:

<OAuthV2 name="RefreshAccessToken">
  <Operation>RefreshAccessToken</Operation>
  <ExpiresIn>1000<ExpiresIn>
  <GrantType>flow.variable</GrantType>*
  <RefreshToken>flow.variable</RefreshToken>*
</OAuthV2>

* Optional

Any flow.variable can be passed as:

  • HTTP Header: request.header.{variable_name}
  • Query parameter: request.queryparam.{variable_name}
  • Form parameter: request.formparam.{variable_name}

If the optional fields are not specified, the values are extracted per the OAuth 2.0 specification.

Get client attributes policy

Sample policy:

<GetOAuthV2Info name="GetClientAttributes">
<ClientId ref="{variable_name}"/>
</GetOAuthV2Info>

Sample policy:

<GetOAuthV2Info name="GetClientAttributes">
  <ClientId>{client_id}</ClientId>
</GetOAuthV2Info>
Get access token attributes policy
Variables set on success:
  • oauthv2accesstoken.{policy_name}.access_token
  • oauthv2accesstoken.{policy_name}.scope
  • oauthv2accesstoken.{policy_name}.refresh_token
  • oauthv2accesstoken.{policy_name}.accesstoken.{custom_attribute_name}
  • oauthv2accesstoken.{policy_name}.developer.id
  • oauthv2accesstoken.{policy_name}.developer.app.name
  • oauthv2accesstoken.{policy_name}.expires_in
  • oauthv2accesstoken.{policy_name}.status

Sample policy:

<GetOAuthV2Info name="GetTokenAttributes">
  <AccessToken ref="{variable_name}"/>
</GetOAuthV2Info>

Sample policy:

<GetOAuthV2Info name="GetTokenAttributes">
<AccessToken>{access_token}</AccessToken>
</GetOAuthV2Info>
Get authorization code attributes policy

Sample policy:

<GetOAuthV2Info name="GetAuthCodeAttributes">
 <AuthorizationCode ref="{variable_name}"/>
</GetOAuthV2Info>

Sample policy:

<GetOAuthV2Info name="GetAuthCodeAttributes">
    <AuthorizationCode>{authorization_code}</AuthorizationCode>
</GetOAuthV2Info>
Get refresh token attributes policy

Sample policy:

<GetOAuthV2Info name="GetTokenAttributes">
  <RefreshToken ref="{variable_name}"/>
</GetOAuthV2Info>

Sample policy:

<GetOAuthV2Info name="GetTokenAttributes">
    <RefreshToken>{refresh_token}</RefreshToken>
</GetOAuthV2Info>

OAuth 1.0a flow variables

The flow variables defined in this table are populated when the respective OAuth policies are executed, and hence are available to other policies or applications executing in the API proxy flow.

Generate request token policy

Sample policy:

<OAuthV1 name="GenerateRequestToken">
  <Operation>GenerateRequestToken</Operation>
</OAuthV1>

Variables set on success:

  • oauth_token
  • oauth_token_secret
  • oauth_callback_confirmed
  • oauth_response
  • oauth_consumer_key
  • oauth_consumer_secret

Generate access token policy

Sample policy:

<OAuthV1 name="GenerateAccessToken">
  <Operation>GenerateAccessToken</Operation>
</OAuthV1>

Variables set on success:

  • oauth_token
  • oauth_token_secret
  • oauth_response
  • oauth_consumer_key
  • oauth_consumer_secret

Access token verification policy

Sample policy:

<OAuthV1 name="VerifyAccessToken">
  <Operation>VerifyAccessToken</Operation>
</OAuthV1>

Variables set on success:

  • oauth_token
  • oauth_token_secret
  • oauth_response
  • oauth_consumer_key
  • oauth_consumer_secret

Verify API key policy

Sample policy:

<GetOAuthV1Info name="VerifyApiKey">
  <OAuthConfig>{config_name}</OAuthConfig>*
  <APIKey ref="{variable_name}" />
</GetOAuthV1Info>

* Optional

Variables set on success:

  • oauth_consumer_key
  • oauth_consumer_secret

Verify consumer policy

Sample policy:

<GetOAuthV1Info name="VerifyConsumer">
  <OAuthConfig>{config_name}</OAuthConfig>*
  <ConsumerKey ref="{variable_name}" />
</GetOAuthV1Info>

* Optional

Variables set on success:

  • oauth_consumer_key
  • oauth_consumer_secret

Verify token policy

Sample policy:

<GetOAuthV1Info name="VerifyToken">
  <OAuthConfig>{config_name}</OAuthConfig>*
  <RequestToken ref="{variable_name}" />
</GetOAuthV1Info>

* Optional

Variables set on success:

  • oauth_token
  • oauth_token_secret

Add new comment

Provide your email address if you wish to be contacted offline about your comment.
We will not display your email address as part of your comment.

We'd love your feedback and perspective! Please be as specific as possible.
Type the characters you see in this picture. (verify using audio)

Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.