In configuring oauth2 in apigee, we can set a validity period for app consumer key and secret pair via the UI and for access token via modifying the xml for oauth proxy. (by modifying the value for element) In case the access token expires we can use the current consumer key, secret pair to regenerate an access token. What if the consumer key, secret pair expires, is there a way to regenerate them as well ? And would like to know the use in limiting time for consumer key, secret pair because an access token set to expire within a given time assures limited access to the backend api. (IMO)
And in case api key security type was used in creating the api proxy, then we only need the api key(which is the same as consumer key in apigee context) to send an api request. In that case if we opt to set a time limit for consumer key, secret pair that means the api key associated with the proxy also expires. If we need to invoke the api again then we need to use the new consumer key as our api key. This is a bit confusing, because i thought api keys do not have a time limit whereas access tokens used in oauth have both a time limit and a scope.
In short i am just trying to figure out how apigee has implemented the concepts oauth and api key to secure apis.