0

I have an API APP(say calculator) On which I enable AD Authentication using Portal. I added Calculator API into API management service. Now I want to get the OAuth token to call Calculator API. I read this post

In above post it mentioned that, get authorization code first & then get the token. I have made all the AAD applications & got the admin consent everything.

In APIM I wrote a policy to get the authorization code

<send-request mode="new" response-variable-name="responseObject" timeout="20" ignore-error="true"> <set-url>@("{{frontAuthServer}}?client_id={{clientId}}&response_type=code&redirect_uri={{FrontredirectUri}}&response_mode=query&resource={{scope}}")</set-url> <set-method>GET</set-method> </send-request> <return-response response-variable-name="existing response variable"> <set-status code="200" reason="OK" /> <set-header name="Content-Type" exists-action="override"> <value>application/json</value> </set-header> <set-body> @(new JObject(new JProperty("code",((IResponse)context.Variables["code"]).Body.As<JObject>())).ToString()) </set-body> </return-response>

But unfortunately authorization code is coming as a query parameter in response & I am not able to retrieve it using Policy. So I just want to know Is I am going into the right direction, If yes then how to retrieve Query parameter from response? OR which will be the correct way of doing this? I followed the same way mentioned here

but no luck. Is any settings needs to do ? Am I missing something?

Improve this question

1 Answer 1

Reset to default
0

If your aim is d oauth flow inside policy by effect making your api callable without oauth token - then you're on the right path. If auth token comes as a query parameter then what you're getting from server should be 302 response with location header. Do something like below:

<send-request mode="new" response-variable-name="responseObject" timeout="20" ignore-error="true"> <set-url>@("{{frontAuthServer}}?client_id={{clientId}}&response_type=code&redirect_uri={{FrontredirectUri}}&response_mode=query&resource={{scope}}")</set-url> <set-method>GET</set-method> </send-request> <set-variable name="token" value="@{ var location = ((IResponse)responseObject).Headers.GetValueOrDefault("Location"); if (string.IsNullOrEmpty(location)) { return null; } var tokenStart = location.IndexOf("token="); if (tokenStart >= 0) { tokenStart += 6; var tokenEnd = location.IndexOf("&", tokenStart); if (tokenEnd < 0) { tokenEnd = location.Length; } return location.Substring(tokenStart, tokenEnd - tokenStart); } return null; }" />

After that token should be in variable named "token" accessible in policy expressions as context.Variables["token"].

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I made some changes. I put var location = ((IResponse)context.Variables["responseObject"]).Headers.GetValueOrDefault("Location"); to get location. It returns null.
I am not getting 302. Always getting 200.
It would be beneficial to trace whole OAuth flow with a tool like Fiddler to get a grasp at what requests are done and what responses are received and where is the token. After all that is known it would be possible to replicate client behavior inside a policy to obtain a token.
I also see that you're specifying response_type=code which means that you're using Authorization Code Grant that means that as a response you'll receive auth code. That also will require a second call to auth endpoint to exchange code for token and refresh token. This is a bit excessive as I believe you have to need for refresh token, so I'd recommend, if that's possible, to look intpo implicit flow.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.