We have the following scenario:

Proxy A: Using OAuth 2.0 policy for token generation, validation, refresh, etc.

Proxy A, before generating an OAuth 2.0 token, does a simple username/pw validation to another proxy, Proxy B.

Proxy B: has a Verify API Key policy.

We have set up our dev app so that the products for Proxy A and Proxy B are tied to it, hence they can use the same API Key. However...the key and secret come into Proxy A for use in OAuth 2.0 policy as a basic auth header:

Authorization: Basic <key>:<secret>

But Proxy B expects just the key in an http header, for use in VerifyApiKey policy:

ApiKey: <key>

We'd prefer not to write a JS policy to manually grab and parse the key portion out of the basic auth header. There's gotta be an easier way to do this since Apigee edge has numerous policies to deal with api keys.

One option was to try and use the Get OAuth v2 Info policy with the <ClientId> element, which sets client id and secret as variables, but I wasn't sure if that can only be used after an OAuth v2.0 token has been produced by OAuthV2 policy. We need to get our hands on the api key portion of the basic auth header for use in the Proxy B call before GetToken will have been executed.

Another option that looked promising is the ExtractVariables Policy, maybe with something like this:

<ExtractVariablesname='ExtractVariable-OauthToken'>
	<Source>request</Source>
	<Header name="Authorization">
		<PatternignoreCase="false">Basic {key}:{secret}</Pattern>
	</Header>
        <VariablePrefix>clientrequest</VariablePrefix>
        <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</ExtractVariables>

Then, for our service callout from Proxy A --> Proxy B, we could set a header based on {clientreqeust.key}, if I'm understanding this correctly.

Thoughts? Better/Simpler ideas?

Thanks in advance!