OAuth Best Practice: How to get access token from external Target Endpoint (yelp) via client_credentials

Not applicable

I am defining an API Proxy and am confused about the best way to get an access_token, and use it with an external target. My API flow looks like this

client -> edgeApiProxy -> yelp

Authentication between client and Apigee Edge is out of scope of this question.

My API Proxy is the client for the request to Yelp, and Yelp will require me to get an access token via the client_credentials grant type. It seems I can do this with a service callout policy and just cache the token until it expires. Is this the best way to retrieve the token and use it when making calls to Yelp or other OAuth protected external resources? Looking at the OAuth policies in Apigee they all seem to be related to Edge being the authorization server and/or resource owner.

Thank you

Solved Solved
1 6 2,059
1 ACCEPTED SOLUTION

Hi @Kd Ford,

Generally for handling tokens of target systems we use a populate cache and lookup cache policy combination.

Where first you do a service callout to get the token and populate the cache with token with token expiry time as cache expiry time.

Then when you receive a request for a protected resource just do a lookup on cache for the token if the lookup fails then do service callout to fetch new token and populate cache again.

This is explained in detail in answer here

View solution in original post

6 REPLIES 6

Hi @Kd Ford,

Generally for handling tokens of target systems we use a populate cache and lookup cache policy combination.

Where first you do a service callout to get the token and populate the cache with token with token expiry time as cache expiry time.

Then when you receive a request for a protected resource just do a lookup on cache for the token if the lookup fails then do service callout to fetch new token and populate cache again.

This is explained in detail in answer here

Thank you for your response. The caching approach is what I was thinking. Are you confirming that the service callout is the way to fetch the token for an externally oauth-protected resource? I have it working now, but I just want to be sure there's not a built-in policy that I could leverage instead of customizing the request and doing the callout.

Thanks in advance

Yes, correct. That's the best way, and there's no built-in policy with the particular purpose of retrieving an external access token from a provider like Yelp. The ServiceCallout policy is the way to go.

Can you please share the steps for 'service callout is the way to fetch the token for an externally oauth-protected resource' ?

Here's an example using ServiceCallout to fetch a token from Google. Other providers will be similar.

https://github.com/DinoChiesa/Apigee-External-Authorization-1/tree/main/sharedflows/get-gcp-token/sh...

alfsalim-1
Participant I