@Dino Thanks for updating the write up on “Using Third-Party OAuth Tokens” and giving the details about the Steps which Apiee should follow and Policy steps for run time (flow) to break the thoughts and make things clear.
To iterate Verify Client credentials I have indicated following information.
.
I am indicating what kind of validation I am referring to hence will give better insight…
As per latest updates to the link
http://docs.apigee.com/api-services/content/use-third-party-oauth-system
which indicates
“If you want the OAuthV2/GenerateAccessToken policy in Apigee Edge to validate the client credentials against the Edge store, set the element to false inside the policy configuration, or omit it entirely. If you want to use an external authorization service to explicitly validate the client credentials, set to true.”
As per context above, have a situation where the Client key and Secret will be validated by OAUTH Policy and will have to use Token from 3rd party retaining the authentication of Client Key and secret to OAUTH only.
Step 1: OAUTH Policy which validates Key and secret (from User)
Hence in that case, will have to set to false… And this will still enable me to get the external token from Third party but I would expect OAUTH2 Policy to validate the Key and secret (Client Credentials initially)…
My situation is Internal validation of client credentials with OAUTH Policy but use the Externally generated Token ..
FYI..I am not using the Service call out because the OAUTH Policy can just validate the Client credentials (Key and secret) and Token is only required from 3rd party….
Step 2: As per write up I will also require Assign Message.
“AssignMessage to set the special well-known-variable called oauth_external_authorization_status. The value must be true to indicate the client credentials are valid.”
Step 3: If Step 1 is successful (OAUTH2 Policy is successful) . A Service Callout policy to invoke the external API (To get just a Token) with other required information (per my requirements)…else OAUTH 2 Policy responds with required error to user about Client authentication failure (of Key and secret validation error response)
Step 4: User to fire the request with 3rd Party Token (instead of OAUTH2 token).
Note: The same write up have indicated
“External Validation of Client Credentials
ServiceCallout to Verify the inbound client credentials, and acquire an external token. “
As per
http://docs.apigee.com/api-services/reference/service-callout-policy
“The Service Callout policy lets you call to an another service from your API proxy flow. You can make callouts to either an external service (such as an external RESTful service endpoint) or internal services (such as an API proxy in the same organization and environment).”
Hence as per write up the second part “and acquire an external token.” is fine but Service Callout is just to call service but not to validate the inbound client in my case rather OAUTH2 will validate the Client credentials.
Hence OAUTH 2 Policy will be used to authenticate Client credentials hence its Policy configuration will be
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
OAuth v2.0-1Validate-ExternalToken
external_access_token
false
GenerateAccessToken
client_credentials
request.queryparam.grant_type
In my case Token is generate by external party hence as per write up I need to store such token, hence set to true above..
Looks like as per your write up I will have to maintain Assign message to as below
Assign Message - Set Variable
oauth_external_authorization_status
true
true