This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to Validate an Externally-generated OAuth token

Posted on 12-20-2016 03:34 PM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi,

I want to know how to validate the token generated by a third party application in APIGEE Edge? (the token to be verified is not a JWT token)


This is how client is making the request(s):

Step 1: to get Access Token

Client will send request to the proxy created in APIGEE edge. Request contains username, password, client id, client secret and grant type (password). Target endpoint is Internal Oauth server.
And response contains access_token, token_type, refresh_token, expiry details etc..

Step 2: to call the actual endpoint

Client will send the request to another proxy in APIGEE and pass the token which received from the previous request as Bearer token in Authorization header.
Here target endpoint is API which is sending the response request by the client.


Now, I want to know how I can validate the token in Step 2 where token is received from the Internal Oauth server in Step 1. What are the policies to be added and where to add?

Solved Solved
0 11 4,305
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

When you perform step 1, you might want to also use Apigee' OAuth policy and store that token. Please refer to this link on how that can be done (http://docs.apigee.com/api-services/content/use-third-party-oauth-system). The policy has three options you'd be interested in - set external auth server to true, store external access to true and store refresh token to true.

With this step, Apigee stores (and manages going forward) the access token generated by the external auth server. Since it has also stored the refresh token, it can also renew access tokens. Finally, perhaps most importantly, you can validate the access token without having to leave Apigee.

In step 2, use the Apigee Oauth policy (with default config) to validate the access token.

NOTE: To complete the process, you will also need to import the client id and secret (aka consumer key and secret) from the external auth server to Apigee. You can read about that here: http://docs.apigee.com/developer-services/content/import-existing-consumer-keys-and-secrets

View solution in original post

Jump to Solution
0 Likes
11 REPLIES 11
Top Solution Authors
View all