Hi...
I have created an OAuth provider in APIC which does the authentication and authorization through the "Access Code" grant type flow(client gets AuthCode->Access Token->Invoke API). In this process, I am trying to populate the OAuth access token with some additional metadata for the consumer. I am calling an external API to populate the metadata and return it in access token.
My expectation is that, when I invoke the '/token' URL, the OAuth provider will call the external API to populate the access token metadata, but, I could observe that, when I invoke '/authorize' URL, I am seeing a hit to the external API and hence the metadata is not getting populated as expected in the access token. Please advise if I am missing anything.
Note: I have tested the access token metadata population through the "Resource owner - Password" grant type and this calls the external API as expected and populates the metadata.
I have attached the OAuth provider swagger for your review. Please check and advise.
------------------------------
Ashok Beshra
------------------------------