Advanced OAuth 2.0 topics

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.
info

Using third-party OAuth tokens

See Using Third-Party OAuth Tokens.

Designating multiple callback URLs

When using the authorization code grant type, you must specify a callback URL when you register your developer app. The callback URL typically specifies the URL of an app that is designated to receive an authorization code on behalf of the client app. In addition, this URL string is used for validation. The client is required to send this URL to Apigee Edge when requesting authorization codes and access tokens, and the redirect_uri parameter must match the one that is registered. See also Requesting access tokens and authorization codes.

For example:

http://myorg-test.apigee.net/weather/oauth/authorizationcode?client_id=123456&response_type=code&redirect_uri=http://example.com/callback&scope=scope1%20scope2&state=abc

There is a use case for specifying multiple callback URLs in a single proxy application. For example, you may want to authenticate for multiple domains. For instance:

  • http://myexample.com/callback
  • http://myexample.uk/callback
  • http://myexample.ja/callback

Edge does not support specifying multiple callback URLs or using wildcard characters when a developer app is registered. To accomplish this use case, you can specify an empty callback URL when you register a developer app, and then put a logic in a JavaScript policy to validate incoming redirect URIs.

Changing the default return behavior of a GenerateAuthCode operation

By default, the GenerateAuthCode operation of the OAuthV2 policy returns a 302 redirect to the callback URL with a ?code query parameter containing the authorization code.

In some cases, you may wish to change this behavior. For example, you may want to return a 200 response with structured JSON containing the code.

To accomplish this use case, use an ExtractVariable policy to retrieve the code, and an AssignMessage policy to return the code in a JSON payload with a status of 200.

Auditing app end user consent

You may be required to verify that an app end user authorized an app. You can use the Apigee Edge Audit API to do so.

Outbound OAuth sample

See the outbound-oauth sample in the Apigee api-platform-samples repository on GitHub. You can clone the sample, deploy it, and run it. This sample uses the Microsoft Azure translator API to translate tweets. To do so, it makes an outbound call to obtain an OAuth access token, and then caches the token using the API Services caching policies, reusing the cached token each time an outbound call is made. Also, includes a demonstration browser app used to invoke the API proxy.