i want like we generate access token using client_credentials and pass this access token to api's authorization but i don't want to pass again and again access token?
Solved! Go to Solution.
If you are securing one api, then you need to send the access token to get validated before the request reaches the resource server.
One thing I would specify is client credentials grant type is used for very trusted applications. So, in that case you can store the access token in the app until it expires and the same will be produced by the app for subsequent requests.
If you are securing one api, then you need to send the access token to get validated before the request reaches the resource server.
One thing I would specify is client credentials grant type is used for very trusted applications. So, in that case you can store the access token in the app until it expires and the same will be produced by the app for subsequent requests.
OAuth specifies that an access token must be passed with each request. "Again and again".
That's the way OAuth tokens work.
please have a look
@Priyadarshi Ajitav Jena @Dino-at-Google i am agreed both of answered but my requirement is little bit different like once we generate an access token using client credentials grant type (In post verb) something like this
after this i want when client hit on my api like this
so in header i am passing authorization = Bearer {Access Token} but i don't want this I want my client got response without authorization i asked somebody they said you can do this using Extract variable and Assign message policy. Please help me i am very new in Apigee Thanks,
Will contact you sometime in mail
thanks a lot sir
sir i haven't recevied any mail
i don't want this. I want my client got response without authorization
Yes, well, If you don't want to require authorization, then don't configure your apiproxy to require it. Do not include a policy like VerifyAccessToken in your proxy. That's pretty simple, isn't it ?
I feel the need to comment further. Generating a token and sending it back to the client, only to later ... not use the token.... seems nonsensical to me. What is the point of dispensing a token to the client if the client won't subsequently use it? How will you then distinguish between authorized calls and anonymous calls if the client doesn't send a token?
i asked somebody they said you can do this using Extract variable and Assign message policy.
Hmm. I don't see how those policies have anything to do with your stated goal. If you want to allow the client to send in a request that has no authorization, then ... do that. Simply omit the VerifyAccessToken step. You don't need ExtractVariables or AssignMessage.
Be aware that exposing an API proxy that does not have a VerifyAccessToken policy (or VerifyAPIKey, etc) means that any client can call it. It's wide open. That should be obvious, but I'm telling you because you seem to be a little off-track with your ideas about ExtractVariables and so on.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |