For convenience, all organizations on Apigee Edge come preconfigured with a set of OAuth 2.0 endpoints that implement the client credentials grant type. This topic explains how to protect an API using this default configuration. 

About the client credentials grant type

The client credentials grant type defines a procedure for issuing access tokens in exchange for app credentials. These app credentials are the consumer key and secret pair that Apigee Edge issues for each app that is registered in an organization. For more details, see Implementing the authorization code grant type.

Add OAuth 2.0 to a new API proxy

You can easily add OAuth verification to an API when you create a new API proxy. As shown below, you can add verification of OAuth 2.0 access tokens by selecting the radio button next to Secure with OAuth v2.0 Access Tokens. When you select this option, two policies will be attached to the newly created API proxy, one to verify access tokens and another to strip the access token after it has been verified.

In addition, when you select the Secure with OAuth v2.0 Access Tokens option, the Publish API Product checkbox becomes selectable and is automatically selected. Check this if you want to automatically generate a product when you build the new API proxy. The autogenerated product will be created with an association to the new API proxy. If you have an existing product with which you want to associate this new API, be sure to clear this checkbox so that you don't create an unnecessary product. For information about products, see What is an API product?

Working with the default OAuth configuration

Each organization (even a free trial org) on Apigee Edge is provisioned with an OAuth token endpoint. The endpoint is preconfigured with policies in the API proxy called oauth. You can begin using the token endpoint as soon as you create an account on Apigee Edge.

The default OAuth endpoint exposes the following endpoint URI:

/oauth/client_credential/accesstoken

Publish this URI to developers who need to obtain access tokens. App developers configure their apps to call this endpoint, presenting their consumer key and secret pairs to obtain access tokens.

The default client credentials token endpoint is exposed over the network at the following URL:

https://{org_name}-{env_name}.apigee.net/oauth/client_credential/accesstoken

For example, if your organization name is "apimakers", the URL would be:

https://apimakers-test.apigee.net/oauth/client_credential/accesstoken

This is the URL that developers call to obtain access tokens.

By default, out-of-the-box OAuth endpoints are only deployed in the test environment. Before they are available in prod, you must explicitly deploy the API proxy called oauth to prod.

 

Help or comments?

  • Something's not working: See Apigee Support
  • Something's wrong with the docs: Click Send Feedback in the lower right.
    (Incorrect? Unclear? Broken link? Typo?)