top of page

Implementing Client Credentials OAuth 2.0 with Apigee

Introduction

With the client credentials OAuth grant type, an app sends its own credentials (the Client ID and Client Secret) to an endpoint on Apigee Edge that is set up to generate an access token. If the credentials are valid, Apigee Edge returns an access token to the client app. You can visit this blog about OAuth

Client Credentials use cases

The typical use cases for client credentials Grant flow are those for machine to machine communication and no end-user authorization is needed.

Grant Flow actors

Actors that participate in the OAuth flow are as follows:

  • Client App -- The app that needs access to the user's protected resources. Typically, with this flow, the app runs on server rather than locally on the user's laptop or device.

  • OAuth api -- Will act as an authorization server. Its role is to generate access tokens, validate access tokens.

  • Mocked API Proxy-- Is the API proxy that is going to protect and route the requests to the final destination (the mock in this case). Validates the tokens using the OAuth API services and allows the final resource consumption.

OAuth 2 Proxy configuration

As the authorization server, OAuth API processes requests for access tokens. You need to create a proxy with a custom flow to handle access token requests, and then add and configure an OAuthV2 policy. To illustrate the creation of the API Proxy you can visit this other post creating an API with Apigee and bear in mind that this proxy will not need a backend (No target type).

1. Create a new flow

2. Configure the flow to have the following configuration:

<Flows>

<Flow name="AccessToken">

<Condition>proxy.pathsuffix == "/accesstoken"</Condition>

<Request>

<Step><Name>GetAccessToken</Name></Step>

</Request>

</Flow>

</Flows>

3. Add an OAuth v2 policy with the following configuration

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuth-v20-1">

<DisplayName>Generate Access Token</DisplayName>

<Properties/>

<Attributes/>

<ExternalAuthorization>false</ExternalAuthorization>

<Operation>GenerateAccessToken</Operation>

<ExpiresIn>3600000</ExpiresIn>

<SupportedGrantTypes>

<GrantType>client_credentials</GrantType>

</SupportedGrantTypes>

<GenerateResponse enabled="true"/>

<Tokens/>

</OAuthV2>

3. Now you can save the OAuth proxy

Test the Apigee OAuth API Proxy using Apigee and Curl

You can test your OAuth API using cURL or a web browser.

In order to properly request an access token you should prepare the basic authentication credentials by following these steps:

  1. Concatenate client_id, client and secret

  2. Obtain the base64 encoded correspondence of the result

  3. Prepare an Authorization header like:

Authorization: Basic dHdvIG11Y2ggaGlkZGVuIHNlY3JldHM=

You should consider the org name to prepare the following cURL command.

In a terminal window, run the following cURL command. You should use your organization name in the URL.

curl -i -H 'Content-Type: application/x-www-form-urlencoded' -X POST 'http://<org_name>-test.apigee.net/oauth/accesstoken' -d 'grant_type=client_credentials' -H 'Authorization: Basic dHdvIG11Y2ggaGlkZGVuIHNlY3JldHM='

bottom of page