top of page
This site was designed with the
.com
website builder. Create your website today.Start Now

Implementing Auth code OAuth 2.0 with Apigee

Introduction

Auth code OAuth grant type, is one of the most commonly used grant types. With the auth code OAuth grant type the user authenticates himself with the resource server and gives the app consent to access his protected resources without divulging username/passwords to the client app.

In this grant type the app redirects to an endpoint on Apigee Edge that is set up to generate an access token after login the user in a third system. If the credentials are valid, Apigee Edge returns an access token to the client app. You can visit this blog about OAuth

Auth code use cases

Auth code grant type is intended for apps that are written by third-party developers who do not have a trusted business relationship with the API provider. With this grant type, the user's credentials on the resource server are never shared with the app.

Grant Flow actors

Actors that participate in the OAuth flow are as follows:

  • Client App -- The app that needs access to the user's protected resources. Typically, with this flow, the app runs on server rather than locally on the user's laptop or device.

  • OAuth api -- Will act as an authorization server. Its role is to generate access tokens, validate access tokens.

  • Mocked API Proxy-- Is the API proxy that is going to protect and route the requests to the final destination (the mock in this case). Validates the tokens using the OAuth API services and allows the final resource consumption.

OAuth 2 Proxy configuration

As the authorization server, OAuth API processes requests for access tokens. You need to create a proxy with a custom flow to handle access token requests, and then add and configure an OAuthV2 policy. To illustrate the creation of the API Proxy you can visit this other post creating an API with Apigee and bear in mind that this proxy will not need a backend (No target type).

1. Create a new flow

2. Configure the flow to have the following configuration:

<Flows>

<Flow name="AccessToken">

<Condition>proxy.pathsuffix == "/accesstoken"</Condition>

<Request>

<Step><Name>GetAccessToken</Name></Step>

</Request>

</Flow>

<Flow name="AuthCode">

<Condition>proxy.pathsuffix == "/authorizationcode"</Condition>

<Request>

<Step><Name>GetAuthCode</Name></Step>

</Request>

</Flow>

</Flows>

3. Add an OAuth v2 policy with the following configuration

<OAuthV2 async="false" continueOnError="false" enabled="true" name="GetAuthCode">

<DisplayName>GetAuthCode</DisplayName>

<Operation>GenerateAuthorizationCode</Operation>

<ExpiresIn>600000</ExpiresIn>

<GenerateResponse/>

</OAuthV2>

4. Now you can save the OAuth proxy

Test the Apigee OAuth API Proxy using Apigee and Curl

You can test your OAuth API using cURL or a web browser.

Obtaining authorization code

You should consider the org name to prepare the following cURL command.

In a terminal window, run the following cURL command. You should use your organization name in the URL.

curl http://<org_name>-test.apigee.net/oauth/authorizationcode?client_id={consumer_key}&response_type=code&scope=scope1%20scope2&state={some_string}

bottom of page