Using password grant type with Apigee SaaS OAUTH p...

abiramradhakris · 03-15-2019 11:27 AM

Is it good practice to use Apigee SaaS as OAUTH provider when using Password Grant type.

The reason of this question is we are sending uid and password to Cloud application .

OAUTH policy requires those details, even after validating the client app's credentials (key/secret)

Our design team is fine sending uid/password to Apigee OAUTH provider which is On Premise but not to Apigee SaaS.

In such cases when moving to cloud with Apigee. We have on premise OAUTH provider which validates the password grant information and generates the access_token which is used to invoke Proxies in Apigee SaaS.

This being JWT ApigeeSaaS validates the Token and validates the required Roles information and invokes backend else throw error.

In such cases Apigee SaaS can only act as a Resource Server. Do we have any alternative for such scenario to still use Apigee SaaS as a OAUTH provider for Password Grant and what may be solid pointers to still have Apigee SaaS OUTH provider for Password Grant

dchiesa1

If the access_token is a JWT,

you can design your flow so that

the client talks to the OAuth provider and receives a JWT
the client sends that JWT to Apigee Edge, POST to a /token endpoint
Apigee Edge calls VerifyJWT to verify that JWT
Apigee Edge Calls OAuthV2/GenerateAccessToken to issue an opaque OAuth token back to the client. (Apigee Edge does not need a real password to do this)
the client passes THAT token (token #2) to Apigee Edge when requesting service
Apigee Edge calls VerifyAccesstoken
Apigee Edge proxies to the backend if the token is valid.

Using password grant type with Apigee SaaS OAUTH provider