External OAUTH providers using APIGEE without using apigee oauth policies

Not applicable

I am currently working on a solution including apigee as the API gateway and Forgerock OpenAM as the Authorization server. We were thinking of using service callouts in apigee to validate the access token generated using the OpenAM system. However, I am confused about the following quote from the apigee oauth documentation:

A common use case is where you have an existing OAuth system in place, and you would like to use the tokens generated by that system with Apigee Edge. On the other hand, if you want to take advantage of Apigee Edge features like Edge Analytics, the developer app ecosystem, developer portal, and so on, you need to use tokens that were generated with Apigee's OAuth system. This topic explains how to configure Apigee Edge to work with third-party (non-Apigee Edge) OAuth systems.

Here is the link to the documentation: http://docs.apigee.com/api-services/content/use-third-party-oauth-system

My question is: What exactly do I lose if I don't use the apigee oauth v2 policies and configure my own callouts to validate the access tokens? My current design is that apigee will only verify the client key to validate the app and all the user verification and authentication will be handled using callouts to openam. Is there something wrong with this design when it comes to apigee? This is something I have done successfully using other API platforms like Axway.

0 2 1,901
2 REPLIES 2

@aradhika ,

Welcome to Apigee Community.

I don't think anything wrong with your design, It's perfectly fine with using third party Authorization server.

Regarding ,

What exactly do I lose if I don't use the apigee oauth v2 policies and configure my own callouts to validate the access tokens?

  • You have mentioned "Apigee will only verify the client key to validate the app", If it's Apigee generated client id , you will get all the advantages of Edge Analytics, the developer app ecosystem, developer portal, and so on.
  • So you don't lose any Apigee Features

@docs , We might need to update above page mentioned with little more clarity regarding tokens / Apigee generated keys.

Hello,

One advantage of storing the access_token in Apigee is the ability to associated metadata to the token. Once the access_token is retrieved from the 3rd party service, additional information may be included, like claim information. This can be stored in the API layer. In future requests, when Apigee validates the access_token, it can pick up the metadata and use it - saving another call to retrieve it.

http://docs.apigee.com/api-services/content/use-third-party-oauth-system