Hi...

I have created an OAuth provider in APIC which does the authentication and authorization through the "Access Code" grant type flow(client gets AuthCode->Access Token->Invoke API). In this process, I am trying to populate the OAuth access token with some additional metadata for the consumer. I am calling an external API to populate the metadata and return it in access token.

My expectation is that, when I invoke the '/token' URL, the OAuth provider will call the external API to populate the access token metadata, but, I could observe that, when I invoke '/authorize' URL, I am seeing a hit to the external API and hence the metadata is not getting populated as expected in the access token. Please advise if I am missing anything.

Note: I have tested the access token metadata population through the "Resource owner - Password" grant type and this calls the external API as expected and populates the metadata.

I have attached the OAuth provider swagger for your review. Please check and advise.

------------------------------
Ashok Beshra
------------------------------

I presume you are getting the information from the "Authentication" "user security" endpoint, that metadata should be carried over in access token though ?
From what endpoint are you trying to get the metadata ?

------------------------------
Tom van Oppens
------------------------------

Original Message:
Sent: Mon November 28, 2022 05:27 AM
From: Ashok Beshra
Subject: Access Code grant type is not populating metadata by calling external API during access token generation

Hi...

I have created an OAuth provider in APIC which does the authentication and authorization through the "Access Code" grant type flow(client gets AuthCode->Access Token->Invoke API). In this process, I am trying to populate the OAuth access token with some additional metadata for the consumer. I am calling an external API to populate the metadata and return it in access token.

My expectation is that, when I invoke the '/token' URL, the OAuth provider will call the external API to populate the access token metadata, but, I could observe that, when I invoke '/authorize' URL, I am seeing a hit to the external API and hence the metadata is not getting populated as expected in the access token. Please advise if I am missing anything.

Note: I have tested the access token metadata population through the "Resource owner - Password" grant type and this calls the external API as expected and populates the metadata.

I have attached the OAuth provider swagger for your review. Please check and advise.

------------------------------
Ashok Beshra
------------------------------

Hi Tom...

Thanks for your reply.

I presume you are getting the information from the "Authentication" "user security" endpoint, that metadata should be carried over in access token though ? - No, I am not using this rather using the "Metadata" section in the configuration and using "External URL" of my internal API to populate the required metadata in the access token
[IBM APIC Doc URL - https://www.ibm.com/docs/en/api-connect/10.0.x?topic=cnop-configuring-metadata-native-oauth-provider]

From what endpoint are you trying to get the metadata ? - As explained above, I have configured an http external endpoint URL to get the metadata.

On testing this OAuth provider API, I could observe that the external URL for metadata is called only once and when I use '/token' to renew the access token after expiry, it is not called to populate the required metadata. Even for that matter, during first instance of '/token' as well the metadata population URL is not invoked. It is only called when a fresh OAuth API provider is created with "Access Code" grant type and upon invocation of '/authorize' URI to get the authorization code.

------------------------------
Ashok Beshra
------------------------------

Original Message:
Sent: Mon November 28, 2022 02:23 PM
From: Tom van Oppens
Subject: Access Code grant type is not populating metadata by calling external API during access token generation

I presume you are getting the information from the "Authentication" "user security" endpoint, that metadata should be carried over in access token though ?
From what endpoint are you trying to get the metadata ?

------------------------------
Tom van Oppens

Original Message:
Sent: Mon November 28, 2022 05:27 AM
From: Ashok Beshra
Subject: Access Code grant type is not populating metadata by calling external API during access token generation

Hi...

I have created an OAuth provider in APIC which does the authentication and authorization through the "Access Code" grant type flow(client gets AuthCode->Access Token->Invoke API). In this process, I am trying to populate the OAuth access token with some additional metadata for the consumer. I am calling an external API to populate the metadata and return it in access token.

My expectation is that, when I invoke the '/token' URL, the OAuth provider will call the external API to populate the access token metadata, but, I could observe that, when I invoke '/authorize' URL, I am seeing a hit to the external API and hence the metadata is not getting populated as expected in the access token. Please advise if I am missing anything.

Note: I have tested the access token metadata population through the "Resource owner - Password" grant type and this calls the external API as expected and populates the metadata.

I have attached the OAuth provider swagger for your review. Please check and advise.

------------------------------
Ashok Beshra
------------------------------

Hi Tom...

Kindly advise if this is possible to collect metadata using OAuth token generation. Thanks

------------------------------
Ashok Beshra
------------------------------

Original Message:
Sent: Fri January 06, 2023 05:17 AM
From: Ashok Beshra
Subject: Access Code grant type is not populating metadata by calling external API during access token generation

Hi Tom...

Thanks for your reply.

I presume you are getting the information from the "Authentication" "user security" endpoint, that metadata should be carried over in access token though ? - No, I am not using this rather using the "Metadata" section in the configuration and using "External URL" of my internal API to populate the required metadata in the access token
[IBM APIC Doc URL - https://www.ibm.com/docs/en/api-connect/10.0.x?topic=cnop-configuring-metadata-native-oauth-provider]

From what endpoint are you trying to get the metadata ? - As explained above, I have configured an http external endpoint URL to get the metadata.

On testing this OAuth provider API, I could observe that the external URL for metadata is called only once and when I use '/token' to renew the access token after expiry, it is not called to populate the required metadata. Even for that matter, during first instance of '/token' as well the metadata population URL is not invoked. It is only called when a fresh OAuth API provider is created with "Access Code" grant type and upon invocation of '/authorize' URI to get the authorization code.

------------------------------
Ashok Beshra

Original Message:
Sent: Mon November 28, 2022 02:23 PM
From: Tom van Oppens
Subject: Access Code grant type is not populating metadata by calling external API during access token generation

I presume you are getting the information from the "Authentication" "user security" endpoint, that metadata should be carried over in access token though ?
From what endpoint are you trying to get the metadata ?

------------------------------
Tom van Oppens

Original Message:
Sent: Mon November 28, 2022 05:27 AM
From: Ashok Beshra
Subject: Access Code grant type is not populating metadata by calling external API during access token generation

Hi...

I have created an OAuth provider in APIC which does the authentication and authorization through the "Access Code" grant type flow(client gets AuthCode->Access Token->Invoke API). In this process, I am trying to populate the OAuth access token with some additional metadata for the consumer. I am calling an external API to populate the metadata and return it in access token.

My expectation is that, when I invoke the '/token' URL, the OAuth provider will call the external API to populate the access token metadata, but, I could observe that, when I invoke '/authorize' URL, I am seeing a hit to the external API and hence the metadata is not getting populated as expected in the access token. Please advise if I am missing anything.

Note: I have tested the access token metadata population through the "Resource owner - Password" grant type and this calls the external API as expected and populates the metadata.

I have attached the OAuth provider swagger for your review. Please check and advise.

------------------------------
Ashok Beshra
------------------------------