Third party Auth tokens - Difference between and oauth_external_authorization_status

I'm reading the documentation for third-party OAuth tokens - https://docs.apigee.com/api-platform/security/oauth/use-third-party-oauth-system

What is the Difference between <ExternalAuthorization> parameter we are setting in OAuth policy and oauth_external_authorization_status variable we're setting through an Assign Message.

I understand oauth_external_authorization_status is set to true to indicate that the credentials are valid (meaning they have been validated somewhere else, externally) then what is the purpose of the <ExternalAuthorization> parameter in the OAuth policy.

From the way it is documented, the purpose of these two seems to significantly overlap -

The documentation states "If you want the OAuthV2/GenerateAccessToken policy in Apigee Edge to validate the client credentials against the Edge store, set the <ExternalAuthorization> element to false inside the policy configuration, or omit it entirely. If you want to use an external authorization service to explicitly validate the client credentials, set <ExternalAuthorization> to true."

Now if I set oauth_external_authorization_status to true and <ExternalAuthorization> to false, what is the purpose of this?

0 2 128
2 REPLIES 2

Not applicable

Learn English with ED Courses

Install App https://play.google.com/store/apps/details?id=com.englishdom.mcourses

English courses from English Dom. Learning English is now easy and convenient. ED Courses are tailor-made classes that make learning English faster and more comfortable.

Learning English takes a lot of effort and practice. Our ED Courses app makes this task a little easier. First, you can learn English for free, and later purchase a full English course. We also study English in our application and we ourselves know how effective it is. The ED app makes English courses for kids as easy as for adults. In the classroom, we learn English using interactive learning elements, this allows you to better assimilate information.

Hi Krishna, you are on right track here. The key is that the two settings do not overlap but need to be used in conjunction:

As you described you would set the `oauth_external_authorization_status` variable to true to indicate that you successfully validated the credentials.

The `<ExternalAuthorization>` flag is used by the OAuthV2 Policy to explicitly skip the validation of the credentials against the credentials that are stored in Apigee and check the `oauth_external_authorization_status` variable instead.