If you use the API gateway as an OAuth2 client with Azure, it may be necessary to register a special OAuth2 provider. Especially if you use the PKCE flow. The reason is that during the token exchange request Azure requires an Origin header and acknowledges this with the following error message:
{"error":"invalid_request","error_description":"AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests.\r\nTrace ID: 0e8f9824-95f5-481a-8deb-b035b1dd8303\r\nCorrelation ID: 2e1e8f7d-a08a-420e-8908-074c2a9add4d\r\nTimestamp: 2021-07-12 13:45:27Z","error_codes":[9002327],"timestamp":"2021-07-12 13:45:27Z","trace_id":"0e8f9824-95f5-481a-8deb-b035b1dd8303","correlation_id":"2e1e8f7d-a08a-420e-8908-074c2a9add4d"}
The Azure OAuth2Provider will add the required Origin
header in the Token-Exchange request.
- Download the release package
- Copy the JAR-File into your API-Gateway(s)
ext/lib
folder and restart the API-Gateway(s) - If you don't have already, setup your OAuth-Client-Provider using Policy-Studio
- Close the Policy-Studio project
- Open Policy-Studio project file:
ExtConnsStore-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.xml
- Locate your configured Azure OAuthProviderProfile and changhe the
class
tocom.axway.oauth.client.providers.AzureOAuth2Provider
as in the example below - Re-Open the project in Policy-Studio and deploy the configuration
<?xml version="1.0" encoding="UTF-8"?>
<entity xmlns="http://www.vordel.com/2005/06/24/entityStore" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" type="OAuthProviderProfile" entityPK="6017837698390746166" parentPK="5256084280368879969">
<fval name="authzUrl">
<value>https://login.microsoftonline.com/........./oauth2/v2.0/authorize</value>
</fval>
<fval name="cacheToUse">
<value contentType="reference">
<key type="CacheManager">
<id field="name" value="Cache Manager" />
<key type="Cache">
<id field="name" value="OAuth Client State Cache" />
</key>
</key>
</value>
</fval>
<fval name="class">
<value>com.axway.oauth.client.providers.AzureOAuth2Provider</value>
</fval>
<fval name="name">
<value>Azure AD</value>
</fval>
<fval name="tokenStore">
<value contentType="reference">
<key type="OAuth2StoresGroup">
<id field="name" value="OAuth2 Stores" />
<key type="ClientAccessTokenStoreGroup">
<id field="name" value="Client Access Token Stores" />
<key type="ClientAccessTokenPersist">
<id field="name" value="OAuth Client Access Token Store" />
</key>
</key>
</key>
</value>
</fval>
<fval name="tokenUrl">
<value>https://login.microsoftonline.com/........./oauth2/v2.0/token</value>
</fval>
</entity>
This artefact has been tested with API-Management Versions
Version | Comment |
---|---|
7.7-20210530 | |
7.7-20210330 | |
7.7-20200930 |
Please let us know, if you encounter any issues with your API-Manager version.
Please read Contributing.md for details on our code of conduct, and the process for submitting pull requests to us.