Apigee OAuth flow

Question

I have few apis which are onboarded to APIGEE. We are securing the access to these onboarded APIs with bearer token which is generated using client key and secret.

Need suggestions to know what is the best way to invoke the APIs from the client side without storing the client key and secret in the front end.

Is it we need another backend service to generate the bearer access token from this new backend service to give it back to client? If so how we secure this new service?

Or is there any other approach we can take?

Appreciate any sort of help or suggestions.

Thanks in advance Sandy

Answer 1

You can use Basic Authentication Policy for this use case. Refer this code:

<BasicAuthentication continueOnError="false" enabled="true" name="Set-AuthToken">
    <DisplayName>Set-AuthToken</DisplayName>
    <Operation>Encode</Operation>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <User ref="client_key"/>
    <Password ref="client_secret"/>
    <AssignTo createNew="false">accessToken</AssignTo>
</BasicAuthentication>

This policy will generate the token and store it into the accessToken variable as mentioned in the config above. Now you can use this accessToken to set in the headers of the request as a bearer Token using AssignMessage Policy like this:

<AssignMessage name="AddAuthHeader">
    <Add>
        <Headers>
            <Header name="Authorization">Bearer {accessToken}</Header>
        </Headers>
    </Add>
    <AssignTo createNew="false" type="request" />
</AssignMessage>

About storing the client secret and key, we can store them in KVMs and access them in runtime while executing the proxy. The client_key and client_secret in this code can be fetched through KVMs. For more information on KVM policies, please refer this link

Answer 2

How I have approached this before is by having an access token proxy. This endpoint generates an access token that is consumed by your APIs.You just add the token proxy while configuring the product for your API.