authn and authz: REST API calls another REST API

What if we have a REST endpoint exposed via apigee which calls another REST end point provided by a software vendor and that software vendor does the actual authentication and authorization?

How can achieve this?

Is using 3rd party oauth system the right approach?

0 4 187
4 REPLIES 4

@Manju - Yes. We could use third party oauth system such as Firebase, ForgeRock etc. However prefer using third party OAuth if necessary. Like above given OAuth systems which are Identity providers(IDPs). Since you could not achieve IDP using apigee, it is recommended that you use them. Otherwise try using apigee's oauth it-self which is simple and good per performance wise.

Not applicable

you have the dependency with authn and authz api. We have earlier implemented the same. You need to use service callout to the authn or authz. In service callout send the credentials and once the credentials are validated the primary proxy will get a successful response and if that fails one error response will be returned.

Then the primary proxy will process the request further depending upon the service callout response.

Thank you for your reply. Couple of follow up questions

When you say "In service callout send the credential" --> this credential should be created by the software vendor (as authn and authz are taken care by it). Is this possible? ?if yes, should we create clientId and secret in apigee? And what is the use of it?

Thank you once again.

Yes, the credentials are generated and managed by Authn or Authz. You service requester will send the credentials in request and you will send in service callout to the Authn or Authz. The verification will happen there.

Creating client id and secret in Apigee is not required in this case. Still if you want to implement another layer of security like api key verification or oauth 2.0 in Apigee also, then you will have to create.

To make the best use of all these, I would suggest to use oauth 2.0 password grant type.

Where the user name and password validation will happen against Authz or Authn. Then next the password grant type token will generate by Apigee. And using the access token you will do the service request.