This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

OAuth2.0 protected API in Apigee

Posted Wednesday
test1123
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am new to apigee and i am trying to wrap my head around the OAuth2 support for APIs in apigee. I have below questions.

1. I noticed that the API developer has to create a 'No Target' proxy with a OAuthV2 policy (operation: GenerateAccessToken) in order for an end user to call and get an access token for their application. This is a bit confusing. How is the API user notified of this Oauth2 proxy specifics ? Isn't there a default /token endpoint supported by apigee ? 

2. Does an organization create an OAuth2.0 proxy and expose the token endpoints, only if they want to use OAuth2.0 in their APIs ? Can their be more than one OAuth2.0 proxy ? Like one to generate tokens with client_creds, another for auth_code etc ?

 

Solved Solved
0 1 39
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM
@test1123 wrote:

Isn't there a default /token endpoint supported by apigee ? 

 

No, there isn't a default.  You have to build that and expose that /token endpoint. 

@test1123 wrote:

How is the API user notified of this Oauth2 proxy specifics ? I

 

I guess the same way the developer would learn of any of the APIs - maybe from a developer Portal, or some other channel where you publish documentation on your APIs. You can build an Open API Spec for that token endpoint, of course.  In my experience most API programs have a doc page that says something like "you must send an OAuth token in your requests. Click HERE To see how to obtain a token." 

@test1123 wrote:

Does an organization create an OAuth2.0 proxy and expose the token endpoints, only if they want to use OAuth2.0 in their APIs ? Can their be more than one OAuth2.0 proxy ? Like one to generate tokens with client_creds, another for auth_code etc ?

 

Yes, you create the token endpoints. You can have a single token endpoint that handles all the different grant types you want to support.  Or, you could have multiple different token endpoints, one for each grant type. Which you choose, is your decision. 

I myself find it easier to document a single endpoint with different request payloads. Use THIS payload for client_credentials, use THIS flow for auth_code, use THIS request for an RFC8693 token exchange, etc etc. 

 

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM
@test1123 wrote:

Isn't there a default /token endpoint supported by apigee ? 

 

No, there isn't a default.  You have to build that and expose that /token endpoint. 

@test1123 wrote:

How is the API user notified of this Oauth2 proxy specifics ? I

 

I guess the same way the developer would learn of any of the APIs - maybe from a developer Portal, or some other channel where you publish documentation on your APIs. You can build an Open API Spec for that token endpoint, of course.  In my experience most API programs have a doc page that says something like "you must send an OAuth token in your requests. Click HERE To see how to obtain a token." 

@test1123 wrote:

Does an organization create an OAuth2.0 proxy and expose the token endpoints, only if they want to use OAuth2.0 in their APIs ? Can their be more than one OAuth2.0 proxy ? Like one to generate tokens with client_creds, another for auth_code etc ?

 

Yes, you create the token endpoints. You can have a single token endpoint that handles all the different grant types you want to support.  Or, you could have multiple different token endpoints, one for each grant type. Which you choose, is your decision. 

I myself find it easier to document a single endpoint with different request payloads. Use THIS payload for client_credentials, use THIS flow for auth_code, use THIS request for an RFC8693 token exchange, etc etc. 

 

Jump to Solution