Unable to extract and read the scope values from OA2-GetOriginalStateAttributes.xml on the identity-facade reference

[PratMoha]

Hi Team,

During the testing of the identity facade, our team encountered an issue where we're unable to extract the scope and few other attributes set in OA2-StoreExternalAuthorizationCode-PKCE( during callback endpoint) and retrieved in OA2-GetOriginalStateAttributes(in token endpoint).
Due to this we're unable to pass the scope to the idp during the service callout SC-IdpTokenIssuance (in token endpoint).

We're currently extracting other attributes values from VJ-VerifyJwtFromIdp(in token endpoint), but as we're also storing nonce, which sometimes contains special character +, and that is getting replaced by a space value.

For example: fhsjdhcowk+1edfdgsg gets replaced as fhsjdhcowk 1edfdgsg.

Any solution to extract the scope before calling the service callout.

Regards,

[JoelGauci]

Hello PratMoha:

I did a test and I can see the initial scope extracted from the oauthv2authcode.OA2-GetOriginalStateAttributes.scope variable as you can see on the following screenshot.
Can you check on your side that the IdP request contains this value (cf. policy AM-BuildIdpRequest) ?

--

[PratMoha]

Thank you for your swift response @JoelGauci ,

I'm running this on Apigee X and below is the response on my end. The Token call succeeds but it is missing the scope variable extracted from OA2-GetOriginalStateAttributes.

In apigee X, runtime variables doesn't show up in most cases. Also adding the request body for the service callout.

grant_type=authorization_code&code=XXXXXXX&redirect_uri=https%3A%2F%2Foauth.xxxx.io%2Fv1%2Fcallback&code_verifier=xxxxxxxxxx

Maybe I'm missing some additional configuration.