I'm reading the documentation for third-party OAuth tokens - https://docs.apigee.com/api-platform/security/oauth/use-third-party-oauth-system

What is the Difference between <ExternalAuthorization> parameter we are setting in OAuth policy and oauth_external_authorization_status variable we're setting through an Assign Message.

I understand oauth_external_authorization_status is set to true to indicate that the credentials are valid (meaning they have been validated somewhere else, externally) then what is the purpose of the <ExternalAuthorization> parameter in the OAuth policy.

From the way it is documented, the purpose of these two seems to significantly overlap -

The documentation states "If you want the OAuthV2/GenerateAccessToken policy in Apigee Edge to validate the client credentials against the Edge store, set the <ExternalAuthorization> element to false inside the policy configuration, or omit it entirely. If you want to use an external authorization service to explicitly validate the client credentials, set <ExternalAuthorization> to true."

Now if I set oauth_external_authorization_status to true and <ExternalAuthorization> to false, what is the purpose of this?