Proxy and target end point both secured by oauth2

Karuna2905 · 08-17-2021 02:45 PM

I am working on a proxy where the first level of oauth 2 at the proxy generates a token and appends it to the header with the key Authorization. The target end point generates an oauth 2 token too. This oauth2 token needs to be appended to the header again and call a different endpoint with the same key as Authorization. The problem is we can't have a single key as Authorization and two values. How should I approach this?

API-Evangelist

Can you try to simplify above as it is little unclear.

If you want to manipulate headers you can use remove header where ever you don't want to propagate the headers to backend end.

https://docs.apigee.com/api-platform/reference/policies/assign-message-policy#remove

Karuna2905

Hi.

Hope this is clear. Proxy is integrated with Oauth2 as its a norm by my organization. And I am not able to pass two headers with the same name

API-Evangelist

Looks you may have mis-understanding please speak to your internal teams.

Usually you generate a token with oauth in your case its client credentials by passing client id/client secret in Authorization header to generate a opaque/jwt (which ever is your implementation).

Now once you have the opaque/jwt token you will pass to it to resource calls( in your case its /data) so by passing Authorization Bearer <<token>>.. Technically you already done the token issuance & using the token to call the resources and you don't need to pass again which you have done in step1.

Would encourage to speak to your internal teams & if they insist it which may be incorrect path but you may need to pass as a custom headers (meaning 1 with Authorization & other could be some custom header) & or append both headers separeted by underscore or some kind of representation & in apigee you need extract/read both headers to validate.