Customizing Tokens and Authorization Codes

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

About token and authorization code metadata

Apigee generates OAuth access tokens, refresh tokens, and authorization codes, and dispenses them to authenticated apps. At generation time, Apigee stores those tokens and codes. Later, when Apigee receives inbound API requests bearing these tokens or codes, Apigee uses the stored information to authorize the requests.

When Apigee generates these OAuth artifacts, it also attaches metadata to the token or code. For example, an access token is associated to name/value pairs that define expiration time, the associated app and developer, and other information.

The JSON representation of an Apigee access token looks like the following:

{
  "issued_at" : "1372170159093",
  "application_name" : "ccd1803b-b557-4520-bd62-ddd3abf8e501",
  "scope" : "READ",
  "status" : "approved",
  "api_product_list" : "[Product1,Product2]",
  "api_product_list_json" : ["Product1", "Product2"],
  "expires_in" : "3599", //--in seconds
  "developer.email" : "joe@weathersample.com",
  "organization_id" : "0",
  "refresh_token" : "82XMXgDyHTpFyXOaApj8C2AGIPnN2IZe",
  "client_id" : "deAVedE0W9Z9U35PAMaAJYphBJCGdrND",
  "access_token" : "shTUmeI1geSKin0TODcGLXBNe9vp",
  "organization_name" : "apifactory",
  "refresh_count" : "0"
}

Adding custom attributes to OAuth tokens and authorization codes

Sometimes it's useful to attach custom metadata to an access token. For example, you might wish to add a user name, group memberships or roles for a user, a customer ID, a session identifier, or other arbitrary information to a token. In Apigee, these data are called "custom attributes." Subsequently, when the token is verified within the scope of an API request, that data is made available to the API proxy via context variables. An API proxy could make fine-grained authorization or routing decisions based on the custom data that is attached to the token.

To attach arbitrary data to a token, use the <Attributes> element in the OAuthV2 policy. You can specify the name and value of the custom attribute. For example, here is a policy configuration that generates a token and attaches a custom attribute called "tenant_list" to the token:

<OAuthV2 name="GenerateAccessToken">
  <Operation>GenerateAccessToken</Operation>
  <ExpiresIn>600000</ExpiresIn>
  <GenerateResponse />
  <SupportedGrantTypes>
    <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>
  <GrantType>request.queryparam.grant_type</GrantType>
  <Attributes> 
    <Attribute name="tenant_list" ref="tenant_list_retrieved_from_external_service" display="false"/>
  </Attributes>
</OAuthV2>

You can specify multiple custom attributes, and you can attach them implicitly to either an authorization code (<Operation>GenerateAuthorizationCode</Operation>) or a token (<Operation>GenerateAccessToken</Operation>) at the time of generation.

When display is set to true (the default), custom attributes are returned in the response, where they may be viewable by the app, or passed on to the end user. When display is set to false, custom attributes are stored in the data store, but are not returned in the response message. In either case, the custom data is available to the policies within the API Proxy, after the token has been verified.

For more information about the display option, see Displaying or hiding custom attributes in the response.

Getting custom access token attributes at runtime

When there is a call to OAuthV2/VerifyAccessToken, Apigee verifies the token by looking it up in the token store. Apigee then populates a set of context variables containing information about the token. These include:

  • organization_name
  • developer.id
  • developer.app.name
  • client_id
  • grant_type
  • token_type
  • access_token
  • issued_at
  • expires_in //--in seconds
  • status
  • scope
  • apiproduct.name*

If there are any custom attributes on the token, those custom attributes are made available in a context variable with the name accesstoken.{custom_attribute}. For example, suppose a token is issued from the policy shown above. After verifying such a token, there would be an additional context variable named accesstoken.tenant_list, containing the value that was stored at the time the token was generated.

Policies or conditions can then refer to these variables and modify behavior based on the values stored within.

Setting and updating custom attributes at runtime

In some situations, you will want your API Proxy to update the metadata associated to an access token at runtime while an API call is being processed on Apigee. To help with this, Apigee provides policies for getting and setting token attributes. For more information, see Get OAuth V2 Info policy and Set OAuth V2 Info policy.

In each of these policies, the AccessToken element should refer to a variable that contains the access token.