hi

We are looking for client credentials as the grant type for one of the usecase for server to server communication.

We have Azure AD as Identity provider -

1. Azure AD provides provision to create apps and associate and thus also has client credentials at their end

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

I can obtain access token by calling - http://login.microsoftonline.com/aa143a9f-4be7-4c86-a764-041a9cba5e8d/oauth2/v2.0/token

with client id,secret, token,scope being passed as form-parameters

I can obtain a token and then pass it to APIGEE and check with VerifyJWT whether it is a valid token or not. I will need public keys of Azure AD to perform the check that i can get

In other words token generation happened outside of Apigee already and I am validating it.

this post does talk about it - https://community.apigee.com/questions/59841/validating-jwt-generated-from-azure-ad.html

2. Other way is we create app in APIGEE and then use a service callout as prescribed in the link below to make a call to AD

https://docs.apigee.com/api-platform/security/oauth/use-third-party-oauth-system

I will have to maintain clientid, secret of azure ad in Apigee, and then make the call to retrieve the token.

What is a better option and also keeping it consistent for other granttypes that we will support with AzureAD integration

Also, for (2) Should i pass the azure ad token back to client or exchange it for another token generated in Apigee. What are the pros and cons of each, and factors to decide.

Should this token be cached for better performance using cache policy

thanks,

Aakash