We want to generate a token in IDP (Azure AD) for external clients, and then verify it at Apigee.

I am confused between two scenarios -

A. client communicate directly to IDP fetch the token and then present it to Apigee and Apigee Validates

B. client communicate directly to Apigee and then Apigee communicates to IDP(Azure AD) to generate the token and give it back to client

In some posts I see option A has been been used, but not much has been given for reasoning to choose this option.

@Dino-at-Google @Priyadarshi Ajitav Jena if you can share some thoughts.

A.

Pros

1. Gateway is not doing the token generation and cache handling

2. JWT expiry is taken care directly at client level not at Apigee

Cons

1. Client has to maintain {clientid,secret} of IDP(Azure AD) and at-least client id of Apigee

B.

Pros

1. One set of clientid, secret only i.e Apigee

2. Abstracts the token generation and interaction with IDP part from clients

3. Reduces coupling if we move to another IDP clients will not break as they can still use same client id, secret. Changes would be at Apigee level

4. Can cache the token at Apigee to avoid callouts for each request

Cons

1. Expiry of tokens in Apigee cache

2. Maintaining priviliges in Apigee for IDP. May be concern as per organization policies

thanks,

Aakash