Sample bundle for OAuth20 Verify AccessToken flow

sample-proxies/apikey/README.md

@@ -24,7 +24,7 @@ Update /setup/setenv.sh with your environment details
 
 Run:
 
-/setup/deploy.sh
+$ sh deploy.sh
 
 Testing
 

sample-proxies/apikey/deploy.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+source ../../setup/setenv.sh
+
+echo "Enter your password for the Apigee Enterprise organization $org, followed by [ENTER]:"
+
+read -s password
+
+echo Deploying $proxy to $env on $url using $username and $org
+
+../../tools/deploy.py -n apikey -u $username:$password -o $org -h $url -e $env -p / -d ../apikey
+
+echo "If 'State: deployed', then your API Proxy is ready to be invoked."
+
+echo "Run 'invoke.sh'"

sample-proxies/conditional-policy/deploy.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+source ../../setup/setenv.sh
+
+echo "Enter your password for the Apigee Enterprise organization $org, followed by [ENTER]:"
+
+read -s password
+
+echo Deploying $proxy to $env on $url using $username and $org
+
+../../tools/deploy.py -n conditional-policy -u $username:$password -o $org -h $url -e $env -p / -d ../conditional-policy
+
+echo "If 'State: deployed', then your API Proxy is ready to be invoked."
+
+echo "Run 'invoke.sh'"

sample-proxies/javascript-mashup/apiproxy/policies/MashItUp.xml

@@ -1,3 +1,3 @@
 <Javascript name="MashItUp" timeout="10000">
-  <ResourceURL>jsc://MashItUp.js</ResourceURL>
+  <ResourceURL>jsc://MashItUp.jsc</ResourceURL>
 </Javascript>

sample-proxies/javascript-mashup/deploy.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+source ../../setup/setenv.sh
+
+echo "Enter your password for the Apigee Enterprise organization $org, followed by [ENTER]:"
+
+read -s password
+
+echo Deploying $proxy to $env on $url using $username and $org
+
+../../tools/deploy.py -n javascript-mashup -u $username:$password -o $org -h $url -e $env -p / -d ../javascript-mashup
+
+echo "If 'State: deployed', then your API Proxy is ready to be invoked."
+
+echo "Run 'invoke.sh'"

sample-proxies/oauth-authcode/README.md

@@ -2,22 +2,14 @@
 
 This sample shows how use the OAuth 2.0 "authorization code" grant type, which redirects
 the end user to a login page, then once the user is authenticated, it returns
-an access token. 
-
-It also validates incoming requests using the
-access token, and uses an API Product to assign a quota value to each application, and
-enforces that quota.
+an access token. Also, shows how to refresh the accesstoken once it got expired. 
 
 It contains the following policies:
 
-1. An AssignMessage policy to set the "flow.resource.name" variable. 
-2. An OAuth 2.0 policy to generate the authorization code that is required in order to 
-authenticate a user.
-3. An OAuth 2.0 policy to generate the access token on a specific URL.
-4. An OAuth 2.0 policy to validate the access token for another URL, and to look
-up attributes from the API Product associated with the application.
-5. A policy to enforce a quota on the number of API calls based on the values set
-in the API Product.
+1. An OAuth 2.0 AuthorizationCode policy to generate the authorization code on a specific URL, called Authorization Endpoint
+   This authorization code is is required in order to authenticate a user.
+2. An OAuth 2.0 AccessToken policy to generate the access token on a specific URL, called AccessToken Endpoint
+3. An OAuth 2.0 RefreshToken policy to generate new access token on a specific URL, called RefreshToken Endpoint
 
 # Set up
 

sample-proxies/oauth-authcode/apiproxy/policies/GenerateAccessToken.xml

@@ -9,6 +9,6 @@
          type because it allows a client to get access to a token with no user authentication -->
     <GrantType>authorization_code</GrantType>
   </SupportedGrantTypes>
-    <GrantType>request.queryparam.grant_type</GrantType>
+  <GrantType>request.queryparam.grant_type</GrantType>
   <GenerateResponse/>
 </OAuthV2>

sample-proxies/oauth-authcode/apiproxy/policies/RefreshAccessToken.xml

@@ -0,0 +1,7 @@
+<OAuthV2 name="RefreshAccessToken">
+    <Operation>RefreshAccessToken</Operation>
+    <!-- This is in millseconds, so expire in half an hour -->
+    <ExpiresIn>1800000</ExpiresIn>
+    <GrantType>request.queryparam.grant_type</GrantType> 
+    <GenerateResponse/>
+</OAuthV2>

sample-proxies/oauth-authcode/apiproxy/proxies/default.xml

@@ -1,4 +1,5 @@
 <ProxyEndpoint name="default">
+
   <Flows>
     <Flow name="GetAuthCode">
       <!-- This policy flow is selected when the path exactly matches what's below -->
@@ -7,6 +8,7 @@
 	<Step><Name>GenerateAuthCode</Name></Step>
       </Request>
     </Flow>
+
     <Flow name="GetAccessToken">
       <!-- This policy flow is selected when the path exactly matches what's below -->
       <Condition>proxy.pathsuffix == "/oauth/accesstoken"</Condition>
@@ -15,11 +17,11 @@
       </Request>
     </Flow>
 
-    <Flow name="default">
-      <!-- This policy flow is selected for all other API calls -->
+    <Flow name="RefreshAccessToken">
+      <!-- This policy flow is selected when the path exactly matches what's below -->
+      <Condition>proxy.pathsuffix == "/oauth/refresh_accesstoken"</Condition>
       <Request>
-	<Step><Name>ValidateOAuth</Name></Step>
-	<Step><Name>CheckQuota</Name></Step>
+	<Step><Name>RefreshAccessToken</Name></Step>
       </Request>
     </Flow>
   </Flows>
@@ -30,8 +32,5 @@
     <!-- Listen only on the HTTPS endpoint since OAuth 2.0 requires that -->
     <VirtualHost>secure</VirtualHost>
   </HTTPProxyConnection>
-  <RouteRule name="default">
-    <!-- This connects our proxy to the target defined elsewhere -->
-    <TargetEndpoint>default</TargetEndpoint>
-  </RouteRule>
-</ProxyEndpoint>
+  <RouteRule name="NoRoute"/>
+</ProxyEndpoint>

sample-proxies/oauth-authcode/invoke.sh

@@ -1,21 +1,5 @@
 #!/bin/bash
 
-rawurlencode() {
-  local string="${1}"
-  local strlen=${#string}
-  local encoded=""
-
-  for (( pos=0 ; pos<strlen ; pos++ )); do
-     c=${string:$pos:1}
-     case "$c" in
-        [-_.~a-zA-Z0-9] ) o="${c}" ;;
-        * )               printf -v o '%%%02x' "'$c"
-     esac
-     encoded+="${o}"
-  done
-  echo "${encoded}"
-}
-
 echo "Using org and environment configured in /setup/setenv.sh"
 echo "Be sure to run scripts under ./setup/provisioning"
 
@@ -25,20 +9,27 @@ echo "Get app profile"
 echo "Enter your password for the Apigee Enterprise organization $org, followed by [ENTER]:"
 read -s password
 
-echo "Fetching callback URL and consumer key for developer application 'joe-app'"
+echo -e "Fetching callback URL and consumer key for developer application 'joe-app' \n"
 appdata=`curl -k -u "$username:$password" "$url/v1/o/$org/developers/joe@weathersample.com/apps/joe-app" 2>/dev/null`;
 callback=`echo "$appdata" | grep callbackUrl | awk -F '\"' '{ print $4 }'`;
 consumerkey=`echo "$appdata" | grep -m 1 consumerKey | awk -F '\"' '{ print $4 }'`;
 consumersecret=`echo "$appdata" | grep -m 1 consumerSecret | awk -F '\"' '{ print $4 }'`;
 
-echo "Fetching redirect URL"
-sleep 1
-redirect_headers=`curl -k --head "https://$org-$env.$api_domain/weatheroauthauthcode/oauth/authorize?response_type=code&client_id=$consumerkey&redirect_uri=$callback&scope=READ&state=foobar" 2>/dev/null`
-sleep 1
+
+###### Authozation Code Flow Begins here......
+
+authorization_request="https://$org-$env.$api_domain/weatheroauthauthcode/oauth/authorize?response_type=code&client_id=$consumerkey&redirect_uri=$callback&scope=READ&state=foobar"
+
+echo -e "\nCalling Authorization Endpoint to get authorization code: \n"
+echo -e "curl -k $authorization_request \n"
+
+echo -e "Fetching redirect URL\n"
+redirect_headers=`curl -k --head "$authorization_request" 2>/dev/null`
+
 redirect_url=`echo "$redirect_headers" | grep "Location: " | sed -e 's/^Location: //' -e 's/[ \t\n\r]\$//g'`
 
-echo "The app would now redirect to $redirect_url"
-echo "We will now simulate what would happen when authentication succeeded there."
+echo -e "The app would now redirect to $callback"
+echo -e "We will now simulate what would happen when authentication succeeded there.\n"
 
 qsparams=`echo "$redirect_url" | awk -F "?" '{ print $2 }' | sed -e 's:&: :g'`;
 for qsparam in $qsparams; do
@@ -49,7 +40,44 @@ for qsparam in $qsparams; do
 	fi
 done
 
-token_request_url="https://$org-$env.$api_domain/weatheroauthauthcode/oauth/accesstoken?grant_type=authorization_code&code=${authcode}&redirect_uri=$( rawurlencode $redirect_url )&scope=READ"
-echo "Calling $token_request_url"
-tokenoutput=`curl -k -u "$consumerkey:$consumersecret" "$token_request_url" 2>/dev/null`
-echo "$tokenoutput"
+###### AccessToken Flow Begins here......
+
+accesstoken_request="https://$org-$env.$api_domain/weatheroauthauthcode/oauth/accesstoken?grant_type=authorization_code"
+
+echo -e "\nCalling AccessToken Endpoint to get access token\n"
+
+echo -e "curl -k -u $consumerkey:$consumersecret $accesstoken_request -X POST -d \"code=${authcode}&redirect_uri=$callback&scope=READ\" -H \"Content-type: application/x-www-form-urlencoded\" \n\n"
+
+accesstoken_response=`curl -k -u $consumerkey:$consumersecret $accesstoken_request -X POST -d "code=${authcode}&redirect_uri=$callback&scope=READ" -H "Content-type: application/x-www-form-urlencoded" 2>/dev/null`
+
+echo -e "AccessToken Response \n $accesstoken_response \n"
+
+#Extracting AccessToken & RefreshToken
+access_token=`echo $accesstoken_response | awk -F "," '{ print $10 }' | awk -F ":" '{print $2}' | sed -e 's/[^a-zA-Z0-9]//g'` 
+refresh_token=`echo $accesstoken_response | awk -F "," '{ print $9 }' | awk -F ":" '{print $2}' | sed -e 's/[^a-zA-Z0-9]//g'`
+
+echo -e "AccessToken: $access_token"
+echo -e "RefreshToken: $refresh_token \n"
+
+
+###### RefreshToken Begins here......
+
+echo -e "\nNow assume that the accesstoken got expired."
+echo -e "It can be refreshed by calling to the refresh token endpoint, with the help of refreshtoken provided for the accesstoken\n"
+
+refreshtoken_request="https://$org-$env.$api_domain/weatheroauthauthcode/oauth/refresh_accesstoken?grant_type=refresh_token"
+
+echo -e "Calling RefreshToken Endpoint to get new access token\n"
+
+echo -e "curl -k -u $consumerkey:$consumersecret $refreshtoken_request -X POST -d \"refresh_token=${refresh_token}\" -H \"Content-type: application/x-www-form-urlencoded\" \n\n"
+
+new_accesstoken_response=`curl -k -u $consumerkey:$consumersecret $refreshtoken_request -X POST -d "refresh_token=${refresh_token}" -H "Content-type: application/x-www-form-urlencoded" 2>/dev/null`
+
+echo -e "New AccessToken Response \n $new_accesstoken_response \n"
+
+#Extracting AccessToken & RefreshToken
+new_access_token=`echo $new_accesstoken_response | awk -F "," '{ print $9 }' | awk -F ":" '{print $2}' | sed -e 's/[^a-zA-Z0-9]//g'`
+new_refresh_token=`echo $new_accesstoken_response | awk -F "," '{ print $8 }' | awk -F ":" '{print $2}' | sed -e 's/[^a-zA-Z0-9]//g'`
+
+echo -e "New AccessToken: $new_access_token"
+echo -e "New RefreshToken: $new_refresh_token \n\n"

sample-proxies/oauth-verify-accesstoken/README.md

@@ -0,0 +1,63 @@
+# Three-Legged OAuth
+
+This sample shows how use the OAuth 2.0 AccessToken is used to access a protected resource.
+It also validates incoming requests using the access token, and 
+uses an API Product to assign a quota value to each client and enforces that quota.
+
+It contains the following policies:
+
+1. An OAuth 2.0 policy to validate the access token for the request URL, and to look
+up attributes from the API Product associated with the application.
+2. A policy to enforce a quota on the number of API calls based on the values set
+in the API Product.
+
+# Note
+
+As, this flow involves Generation of AccessToken before requesting the protected resource,
+the "invoke.sh" will guide you through the Generation of AccessToken flow, 
+before proceeding with the Verification
+
+
+# Set up
+
+* The username and password that you use to login to enterprise.apigee.com.
+* The name of the organization in which you have an account. Login to 
+  enterprise.apigee.com and check account settings.
+
+# Configure 
+
+Update /setup/setenv.sh with your environment details
+
+Configure API products, developers, and apps in your organization:
+
+Run:
+
+/setup/provisioning/setup.sh
+
+# Import and deploy sample project
+
+Run:
+
+/setup/deploy.sh
+
+Testing
+
+$ sh invoke.sh
+
+# Get help
+
+For assistance, post to http://support.apigee.com
+
+Copyright 2013 Apigee Corporation
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+this file except in compliance with the License. You may obtain a copy
+of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

sample-proxies/oauth-verify-accesstoken/apiproxy/OAuthVerifyTokenSample.xml

@@ -0,0 +1,3 @@
+<APIProxy name="OAuthVerifyTokenSample">
+  <Description>A sample API proxy that enforces OAuth 2.0 Auth Code</Description>
+</APIProxy>

sample-proxies/oauth-authcode/apiproxy/policies/CheckQuota.xml → sample-proxies/oauth-verify-accesstoken/apiproxy/policies/CheckQuota.xml

@@ -6,4 +6,4 @@
   <TimeUnit ref="apiproduct.developer.quota.timeunit"/>
   <Allow countRef="apiproduct.developer.quota.limit"/>
   <Identifier ref="client_id"/>
-</Quota>
+</Quota>

sample-proxies/oauth-verify-accesstoken/apiproxy/proxies/default.xml

@@ -0,0 +1,22 @@
+<ProxyEndpoint name="default">
+  <Flows>
+    <Flow name="default">
+      <!-- This policy flow is selected for all other API calls -->
+      <Request>
+	<Step><Name>ValidateOAuth</Name></Step>
+	<Step><Name>CheckQuota</Name></Step>
+      </Request>
+    </Flow>
+  </Flows>
+
+  <HTTPProxyConnection>
+    <!-- Add a base path to the proxy to distinguish from others in the environment -->
+    <BasePath>/weather</BasePath>
+    <!-- Listen only on the HTTPS endpoint since OAuth 2.0 requires that -->
+    <VirtualHost>secure</VirtualHost>
+  </HTTPProxyConnection>
+  <RouteRule name="default">
+    <!-- This connects our proxy to the target defined elsewhere -->
+    <TargetEndpoint>default</TargetEndpoint>
+  </RouteRule>
+</ProxyEndpoint>

sample-proxies/oauth-verify-accesstoken/apiproxy/targets/default.xml

@@ -0,0 +1,6 @@
+<TargetEndpoint name="default">
+  <HTTPTargetConnection>
+    <!-- This is where we define the target. For this sample we just use a simple URL. -->
+    <URL>http://weather.yahooapis.com/</URL>
+  </HTTPTargetConnection>
+</TargetEndpoint>

sample-proxies/oauth-verify-accesstoken/deploy.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+source ../../setup/setenv.sh
+
+echo "Enter your password for the Apigee Enterprise organization $org, followed by [ENTER]:"
+
+read -s password
+
+echo Deploying $proxy to $env on $url using $username and $org
+
+../../tools/deploy.py -n oauth-verify-accesstoken -u $username:$password -o $org -h $url -e $env -p / -d ../oauth-verify-accesstoken
+
+echo "If 'State: deployed', then your API Proxy is ready to be invoked."
+
+echo "Run 'invoke.sh'"