External Refresh Token

Report Inappropriate Content · 12-01-2015 01:09 AM

Based on http://apigee.com/docs/api-services/content/use-third-party-oauth-system

What is the exact use of an external refresh token?

Report Inappropriate Content

Hi @Mark Tse, from the link on your post: "A common use case is where you have an existing OAuth system in place, and you would like to use the tokens generated by that system with Apigee Edge. On the other hand, if you want to take advantage of Apigee Edge features like Edge Analytics, the developer app ecosystem, developer portal, and so on, you need to use tokens that were generated with Apigee's OAuth system.". The last section on the same doc contains an example on how to use it. If you have specific questions, I can help. Since I wrote it. Hope it helps.

Report Inappropriate Content

Thanks a lot, @Diego Zuluaga!

What I do not understand is that how the external refresh token is supposed to be used. So in order to refresh the external access token through Apigee, I will need to implement the corresponding callout policy to pass it to the oauth provider? Or is there is a simpler way?

DChiesa

Yes, that is correct. Implement the callout policy in Apigee Edge to call the external provider.

You could also require the client-side app to call the external provider, too. But it's the same level of complexity - just a matter of where you insert that token-refresh logic.

alexkoo

Hi Mark,

If a refresh token is generated by an external authorization server, then we can use the field ExternalRefreshToken from within the OAuthV2 policy so that Edge now recognizes that refresh token. As you would expect, you'll need a refresh token grant type flow that you would want to support in your OAuth token proxy.