This article is in continuation to @Michael Russo's article on tips first time developers to Apigee Edge should know

OAuth as one of the very commonly used functionality. Here are some tips I have around that

1. The default oauth proxy that comes with the org uses client_credentials flow. There are GIT samples and OAuth docs, if some other flow is desired
2. API Products - its easy to check the boxes 'secure with OAuth', 'Publish API Products' if you do not want to manually add the products
3. Unless, you enable the 'Access Token Validation' policy, (or check the box like in the step above), your APIs are not automatically protected
4. Similarly, unless you have a quota policy that is using the flow variables set in the API Product, the API Product Quotas are not enforced automatically (true for other custom attributes in API Products)
5. If you have to authenticate the user, you will pick one of the resource owner flows (password, implicit, auth code). In that case, you can either redirect (will work for 3 legged flows) to your login logic/app, use Apigee policies to talk to your user store/IDP or use API BaaS as your user store (probably the easiest if you do not have a specific preference)