We have a proxy that verifies API Key and Secret before passing to an
external IDP for an access token. The first OAUTH policy works fine to
validate the client if the call is specific to just getting an access
token. However, the first OAUTH policy ...