How to consume OAuth protected backend APIs through Apigee

Not applicable

How do I configure a targetendpoint that is protected by OAuthV1 or OAuthV2?

In other words, in my flow, I need to consume backend APIs which are themselves protected by OAuthv1 or OAuthv2.

The OAuth filters in Apigee is meant for securing your own API/API proxy. How do I consume a secured backend API through Apigee?

Updates/Clarifications on Use-case

I have exposed an API proxy which is secured by API key. Within the flow of the API proxy, I have to make a couple of backend API calls. One of the backend API is protected through oAuthv1.0a and the other by oAuthv2.

The plan is to make it transparent to the consumer. While the consumer authenticates themselves only through API Key (or other additional layers of security in the future), they are unaware of the security handshake at the backend.

The backend APIs are partner APIs, managed in their own security domains.

So in this case, I have to store some credentials at Apigee end and be able to rotate the tokens/generate OAuth Signature/nounce, etc. to make the backend call.

0 2 1,343
2 REPLIES 2

adas
Participant V

@Ritwik Chatterjee You could configure it the same way you would for any other backends. The question is your backend going to do OAuth or is there a different endpoint for the OAuth flow that would generate the token for the end user.

In case your target backend is protected by OAuthv2, you would want to make sure that the incoming API call has the Authorization header with a Bearer token, and in your proxy you just make sure that you let that header pass all the way to the backend.

To simulate this, you can actually write 2 different proxy bundles one which does the oAuth and another which acts as your protected backend. I wrote up something similar, just take a look.

apigee-oauth20-rev25-2016-02-15.zipapigee-payment-rev19-2016-02-15.zip

@arghya das, here is my situation.

I have exposed an API proxy which is secured by API key. Within the flow of the API proxy, I have to make a couple of backend API calls. One of the backend API is protected through oAuthv1.0a and the other by oAuthv2.

The plan is to make it transparent to the consumer. While the consumer authenticates themselves only through API Key (or other additional layers of security in the future), they are unaware of the security handshake at the backend.

The backend APIs are partner APIs, managed in their own security domains.

So in this case, I have to store some credentials at Apigee end and be able to rotate the tokens/generate OAuth Signature/nounce, etc. to make the backend call.