@AMAR DEVEGOWDA, @Siddharth Barahalikar - the reference both of you gave talks about how auth code is exchanged for Authorization token (Step #7). However, it does not specify what we can do at Apigee Edge to validate the auth code.

Can someone literally skip steps 1 through 6 and directly call the POST /token end point (step 7) and pass junk as the auth code to retrieve an authorization token with an "Authorization code" grant type?

My question was how can we prevent that from happening?

I see in the sample code, the request parameters are set in the Auth code. There should be some way to validate that the Auth code passed in step #7 was indeed an Auth code that was issued in step #5 + it was issued to that client + it has not expired.

I am talking about a "VerifyAuthCode" operation just like the "VerifyAccessToken" operation in OAuthV2 policy.

To exchange the auth code for an access token the client needs to authN itself, in other words, it needs to provide a client_id, a secret, and a redirect uri. There's no need to validate the auth code. To prevent a brute force attack you can set up a spike arrest policy in combination of short lived auth codes.

Hello AMAR DEVEGOWDA . ¿How could I contact you to arrange a paid consultancy to finish a configuration task of a reverse proxy server Apigee that is causing me errors?

My answer was in Drafts for a long time. Both answers are same lol 🙂