0

I have an API APP(say calculator) On which I enable AD Authentication using Portal. I added Calculator API into API management service. Now I want to get the OAuth token to call Calculator API. I read this post

In above post it mentioned that, get authorization code first & then get the token. I have made all the AAD applications & got the admin consent everything.

In APIM I wrote a policy to get the authorization code

<send-request mode="new" response-variable-name="responseObject" timeout="20" ignore-error="true"> <set-url>@("{{frontAuthServer}}?client_id={{clientId}}&response_type=code&redirect_uri={{FrontredirectUri}}&response_mode=query&resource={{scope}}")</set-url> <set-method>GET</set-method> </send-request> <return-response response-variable-name="existing response variable"> <set-status code="200" reason="OK" /> <set-header name="Content-Type" exists-action="override"> <value>application/json</value> </set-header> <set-body> @(new JObject(new JProperty("code",((IResponse)context.Variables["code"]).Body.As<JObject>())).ToString()) </set-body> </return-response>

But unfortunately authorization code is coming as a query parameter in response & I am not able to retrieve it using Policy. So I just want to know Is I am going into the right direction, If yes then how to retrieve Query parameter from response? OR which will be the correct way of doing this? I followed the same way mentioned here

but no luck. Is any settings needs to do ? Am I missing something?

Rohi_Dev_1.0
  • 372
  • 1
  • 2
  • 19

1 Answers1

0

If your aim is d oauth flow inside policy by effect making your api callable without oauth token - then you're on the right path. If auth token comes as a query parameter then what you're getting from server should be 302 response with location header. Do something like below:

<send-request mode="new" response-variable-name="responseObject" timeout="20" ignore-error="true">
    <set-url>@("{{frontAuthServer}}?client_id={{clientId}}&response_type=code&redirect_uri={{FrontredirectUri}}&response_mode=query&resource={{scope}}")</set-url>
    <set-method>GET</set-method>
</send-request>

<set-variable name="token" value="@{
    var location = ((IResponse)responseObject).Headers.GetValueOrDefault("Location");
    if (string.IsNullOrEmpty(location)) {
        return null;
    }

    var tokenStart = location.IndexOf("token=");
    if (tokenStart >= 0) {
        tokenStart += 6;
        var tokenEnd = location.IndexOf("&", tokenStart);
        if (tokenEnd < 0) {
            tokenEnd = location.Length;
        }

        return location.Substring(tokenStart, tokenEnd  - tokenStart);
    }
    return null;
}" />

After that token should be in variable named "token" accessible in policy expressions as context.Variables["token"].

Vitaliy Kurokhtin
  • 7,205
  • 1
  • 19
  • 18
  • I made some changes. I put var location = ((IResponse)context.Variables["responseObject"]).Headers.GetValueOrDefault("Location"); to get location. It returns null. – Rohi_Dev_1.0 Jun 13 '17 at 03:58
  • I am not getting 302. Always getting 200. – Rohi_Dev_1.0 Jun 13 '17 at 05:51
  • It would be beneficial to trace whole OAuth flow with a tool like Fiddler to get a grasp at what requests are done and what responses are received and where is the token. After all that is known it would be possible to replicate client behavior inside a policy to obtain a token. – Vitaliy Kurokhtin Jun 13 '17 at 17:40
  • I also see that you're specifying response_type=code which means that you're using Authorization Code Grant that means that as a response you'll receive auth code. That also will require a second call to auth endpoint to exchange code for token and refresh token. This is a bit excessive as I believe you have to need for refresh token, so I'd recommend, if that's possible, to look intpo implicit flow. – Vitaliy Kurokhtin Jun 13 '17 at 17:57