Solved: Query in oauth-introduction apigee docs page

mytre4411 · 03-27-2016 10:10 PM

The docs page http://docs.apigee.com/api-services/content/oauth-introduction says "Both schemes use the same consumer key and secret to validate the client app" under "OAuth 2.0 vs. API key security".

But in API key security,it does not verify client app with secret key.It uses only consumer key.Please clarify.

anilsr

@Subbu R ,

That's correct.

OAuth2.0 Client Credentials needs both consumer key & secret to generate access token. You will use access token to make API calls.

API Key validations needs just API Key (consumer key) using which you will make API call.

@docs can we update same to avoid confusion ? API key validation doesn't need secret key.

View solution in original post

willwitman

Thanks for catching that. I updated the doc.

View solution in original post

anilsr

@Subbu R ,

That's correct.

OAuth2.0 Client Credentials needs both consumer key & secret to generate access token. You will use access token to make API calls.

API Key validations needs just API Key (consumer key) using which you will make API call.

@docs can we update same to avoid confusion ? API key validation doesn't need secret key.

mytre4411

Thanks @Anil Sagar

gaurav_bhandari

@Subbu R

You are correct. The VERIFY API KEY just validates the APP Key and not secret.

In case you need to validate the APP Secret, then you can validate that too.

When you validate the APP Key using the Verify API KEY, then the VERIFY API KEY Policy generates many apigee variables like api product name, api developer name and it also generates the APP SECRET.

So just compare the APP Secret with the incoming secret in the payload/header.

I hope this helps.

mytre4411

Thanks @gbhandari

Yes...I can see that clientsecret is populated in Verify API key policy once executed.

But docs says,the policy schemes itself validates both key and secret just like OAuth.And I hope it still needs to be corrected.

willwitman

Thanks for catching that. I updated the doc.