There are 3 App scenarios and questions that follow.
Background
Assume that all APIs except OAuth-ClientCredentials proxy are protected by Apigee's OAuth/VerifyAccessToken policy.
App 1
App 2
App 3
- No Products (achievable by deletion via API)
Product A
- OAuth-ClientCredentials proxy (to generate token via HTTP Basic Auth)
- No resource paths
Product B
- No API proxies
- No resource paths
Questions
- Does App 1 have access to all APIs (protected and non-protected) by nature of association with Product B?
- Does App 2 have access to all APIs (protected and non-protected)? This notably includes access to OAuth-ClientCredentials proxy which is not listed in any Products.
- Does App 3 have access to all APIs (protected and non-protected)?
The answer to all 3 question is yes.
- Yes -- As a convenience for fast prototyping with OAuth integration, developers do not need to list/update a Product with new API proxies for inclusion in Apigee's OAuth system.
- Yes -- Taking the App 1 test one step further, Product A is not even required for prototyping.
- Yes -- This is an atypical case. The UI does not allow an admin to delete all Products for a particular App. An admin would need to delete via API.
Also note that once you include 1 API proxy in a Product, the Product is locked down. Thereafter, access is restricted to the API proxies specifically listed in that Product.