In my org, we have a host of microservices that communicate to a third party API through an Apigee proxy. This proxy authenticates the internal requests using our own oAuth and then strips those values out of the request and appends an application key required by the third party vendor.

This vendor is moving to a more robust access_token/refresh_token model where the caller needs to periodically get a new set of tokens to validate the request. For my org, it is not possible to have every service that uses this endpoint change their behavior to support this, plus we already have a strong internal authentication model, so it makes sense for the proxy to handle this mechanism.

I investigated Apigee’s oAuth2 model and it supports this mechanism for internal requests, but not for managing external requests. I have started to develop my own proxy using cached values, but it is problematic.

I figure this is a common enough model that this has probably already been done by many of you here. So, before I continue down this path, can anyone help point me in the right direction or provide an example of a proxy that has this behavior?

Thank you.