Layer 7 API Management

Expand all | Collapse all

OAuth2.0 with data passed in body of POST

Jump to Best Answer
  • 1.  OAuth2.0 with data passed in body of POST

    Posted 11-24-2016 09:21 PM

    Hi All,


    I'm struggling with setting up an oauth2.0 example in the gateway. The basic demo is to get the name of an account on Reddit using OAuth2.0.


    I've got my application registered with Reddit, the initial browser redirect (302), authorization in Reddit and the call back with a code all working fine.


    Where I'm stuck is attempting to submit the code in order to obtain the access token.


    I started by trying to use the "Retrieve OAuth 2.0 Token - Authorization Code" assertion as it appears to be how this is done for the facebook/google example.

    This assertion doesn't seem to be able to pass parameters such as client_id, grant_type and redirect_uri in the body.

    In any case it fails and I don't know why or even if it is to be used for the callback. It does work for the initial browser redirect in that it correctly generates the "oauth.auth_req_url" variable in that case.


    I then attempted to use the "Route via HTTP(s)" assertion and set the POSTed data manually. This fails as the assertion doesn't pass the data that is set in the HTTP->Customize Request Form POST Parameters dialog (I have verified this separately).

    I then attempted to copy the "request" message to a separate message variable "request_copy", customise the 'mainpart' of that variable and then send that using "request_copy" as the Request Source. This also fails and sends the data from the original request.


    Am I going about this the wrong way?

    Is there any way of sending a custom POST message?


    For reference, here is an example of interacting with Reddit's OAuth API using Python that I have been following:

    OAuth2 Python Example · reddit/reddit Wiki · GitHub 



  • 2.  Re: OAuth2.0 with data passed in body of POST

    Posted 11-24-2016 09:26 PM
      |   view attached

    Attaching policy.


    zip   2K 1 version

  • 3.  Re: OAuth2.0 with data passed in body of POST

    Posted 11-25-2016 11:24 AM



    Looking at your policy it appears that we will need the RetrieveOAuth2Token encapsulated assertion to help you out.




    Stephen Hughes

    Director, CA Support

  • 4.  Re: OAuth2.0 with data passed in body of POST

    Posted 11-27-2016 11:34 PM

    Adding screenshots for the encapsulated assertion.


    policy1AuthServer detailparameters

  • 5.  Re: OAuth2.0 with data passed in body of POST
    Best Answer

    Posted 11-28-2016 04:49 PM

    Hi John,


    With regards to POSTING the form data in a route assertion, you can do the following to exchange the code for a token:


    1. Create a context variable of type message, content-type: application/x-www-form-urlencoded and the below form data replacing these values with your own:




    2. In the Route assertion properties, change the HTTP method to POST and REQUEST SOURCE to the variable you created above



    If you still run into issues it may be worth opening a ticket so we can review further. I have a working sample of the Retrieve OAuth 2.0 Token assertion I can provide as well, but would need some tweaking to fit your environment.