I am planning to use apigee as source of auth code and access token with our own authentication web app which simply present user login page, consent. I will use alexa account linking as example.

Flow =

step 1: - Client (User agent) opens login page with all params client id, secret, redirect uri etc

step 2: - login page present UI and after successfully authenticazting user, calls apigee endpoint to get auth code and gets 302 response with Location header.

Now browser doesn't redirect like this origin domain A (login page) --> apigee oauth endpoint --> location header

Is it possible to user separate authorization (apigee oauth) and authentication (custom login app not hosted in apigee) server for 3 legged auth?

Refer https://stackoverflow.com/questions/22397072/are-there-any-browsers-that-set-the-origin-header-to-nu...