Testing an API using both client id and secret

rajeshnimmadan · 10-20-2020 03:23 PM

Hi Team,

As of now we are passing Client Id to an API using verify key policy. Now we would like to pass both client ID and secret, could you please share example or any document to test an API using Client ID and Secret. Here I am not trying to use OAUTH, I am just trying to validate an API using Client ID and Secret. Please tell possible cases, scenarios or policies to implement.

Thank you.

Rajesh Nimmada

deboraelkin

Perhaps the simplest way to do this is to require that cliend Id and secret be sent as a basic authorization header or as form parameters client_id and client_secret. You can then use the OAuthV2 policy (operation=GenerateAccessToken, grant type=client credentials). If the policy succeeds, that means that the client Id and secret are valid.

While you're at it, you may as well return the token to the client, as use that in subsequent requests.

With very little extra effort, you'd be implementing OAuth client credentials grant type.

See https://docs.apigee.com/api-platform/security/oauth/oauth-20-client-credentials-grant-type for more details.

rajeshnimmadan

I already mentioned I am not going to use OAUTH, I am trying to implement a simple POC just sending client id and secret

deboraelkin

Fine. Just use the the OAuth policy then, as I explained above. It's the quickest, simplest way to validate a client key and secret