OAuth 2.0: Configuring a new API proxy

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.
info

If you are using the Apigee Cloud version of Edge, then you will see that a proxy called oauth is included in your organization by default. This proxy provides two sample endpoints for generating access and refresh tokens. If you'd like to learn more about OAuth token endpoints, see Understanding OAuth endpoints.

The client credentials grant type defines a procedure for issuing access tokens in exchange for app credentials. These app credentials are the consumer key and secret pair that Apigee Edge issues for each app that is registered in an organization. For more details, see Implementing the authorization code grant type.

Add OAuth 2.0 to a new API proxy

You can easily add OAuth verification to an API when you create a new API proxy.

Edge

To add OAuth verification to an API using the Edge UI:

  1. Sign in to apigee.com/edge.
  2. Select Develop > API Proxies in the left navigation bar.
  3. Click + Proxy
  4. Use the Create Proxy wizard to create a Reverse proxy. See Build a simple API proxy.
  5. On the Common policies page of the wizard, select the radio button next to OAuth v2.0.

Classic Edge (Private Cloud)

To add OAuth verification to an API using the Classic Edge UI:

  1. Sign in to http://ms-ip:9000, where ms-ip is the IP address or DNS name of the Management Server node.
  2. Select APIs > API Proxies in the top navigation bar.
  3. Click + API Proxy
  4. Use the Create Proxy wizard to create a Reverse proxy. See Build a simple API proxy.
  5. On the Security page of the wizard, select the radio button next to OAuth v2.0.

When you select this option, two policies will be attached to the newly created API proxy, one to verify access tokens and another to strip the access token after it has been verified.

Note that the Publish API Product checkbox becomes selectable and is automatically selected. Check this if you want to automatically generate a product when you build the new API proxy. The autogenerated product will be created with an association to the new API proxy. If you have an existing product with which you want to associate this new API, be sure to clear this checkbox so that you don't create an unnecessary product. For information about products, see What is an API product?

Working with the default OAuth proxy

The oauth proxy exposes the following endpoint URI:

/oauth/client_credential/accesstoken

Publish this URI to developers who need to obtain access tokens. App developers configure their apps to call this endpoint, presenting their consumer key and secret pairs to obtain access tokens.

The default client credentials token endpoint is exposed over the network at the following URL:

https://{org_name}-{env_name}.apigee.net/oauth/client_credential/accesstoken

For example, if your organization name is "apimakers", the URL would be:

https://apimakers-test.apigee.net/oauth/client_credential/accesstoken

This is the URL that developers call to obtain access tokens.

Call the API

When you get back an access token, you can call the API with an Authorization header and Bearer token, like this:

curl -H "Authorization: Bearer <your access token>" http://myorg-myenv.apigee.net/myapi

See also Verifying access tokens.