Hi
I am evaluating Apigee for securing APIs via client-credetials flow of Oauth.
In our use case the client will pass "scope" in the request to create access token(/accesstoken).
Apigee proxy should:
1) Do standard oauth validations (validate client-id, secret etc)
2) If step 1 passes, validate scope by calling an external API (deployed outside Apigee environment).
3) If step 2 passes, create an access token for the client.
Please point me to documentation if the above flow is supported.
Thanks!
Sure, it's supported. I don't know if there's a specific set of documentation for that. But here's how I would do it.
I have an example proxy here. It's not a "working example" because I don't have an external API that validates the scope. But you can swap in your service there.
You could take this as a starting point, add in some FaultRules, or elaborations on how you want to generate the token.
If you need more assistance or if I have misunderstood the question, let me know.
Hi Dino
Thanks a lot for your response. Especially the example code is very helpful.
There is a small issue.
The proxy works as expected if service callout is the first step. In this case remote API is called, token is created and sent to the client.
However, if service callout is the second step, token is created and returned to the client, but the remote API is not called.
==== Works as expected begin ====
<Request>
<Step> <Name>Service-Callout-1</Name> </Step>
<Step> <Name>GenerateAccessTokenClient</Name> </Step>
</Request>
==== Works as expected end ====
==== Remote API is not called begin ====
<Request>
<Step> <Name>GenerateAccessTokenClient</Name> </Step>
<Step> <Name>Service-Callout-1</Name> </Step> <!-- not called -->
</Request>
==== Remote API is not called end ====
User | Count |
---|---|
7 | |
2 | |
2 | |
1 | |
1 |