This article is in continuation to @Michael Russo's article on tips first time developers to Apigee Edge should know
OAuth as one
of the very commonly used functionality. Here are some tips I have around that
- The default oauth proxy that comes with the org
uses client_credentials flow. There are GIT samples and OAuth docs, if some
other flow is desired
- API Products - its easy to check the boxes 'secure
with OAuth', 'Publish API Products' if you do not want to manually add the
products
- Unless, you enable the 'Access Token Validation'
policy, (or check the box like in the step above), your APIs are not
automatically protected
- Similarly,
unless you have a quota policy that is using the flow variables set in the API
Product, the API Product Quotas are not enforced automatically (true for other
custom attributes in API Products)
- If you have to authenticate the user, you will pick one of the resource owner flows (password, implicit, auth code). In that case, you can either redirect (will work for 3 legged flows) to your login logic/app, use Apigee policies to talk to your user store/IDP or use API BaaS as your user store (probably the easiest if you do not have a specific preference)