Manage authentication profiles

The tasks in your Apigee Integration may require connection to an external application, service, or data source. An authentication profile lets you configure and store the authentication details for the connection in Apigee Integration. You can configure the task to use the stored authentication profile. Creating an authentication profile is a one-time activity, and you can reuse the same profile in multiple integrations.

Create OAuth 2.0 client ID

A client ID is used to identify a single application to Google's OAuth servers. If your application runs on multiple platforms, then each will need its own client ID. To use OAuth 2.0 in your application, you need an OAuth 2.0 client ID, which your application uses when requesting an OAuth 2.0 access token.

To create an OAuth 2.0 client ID, do the following steps:

  1. In the Google Cloud console, go to APIs & Services > Credentials.

    Go to Credentials

  2. Click + Create Credentials and select OAuth client ID from the list of available options.

    The Create OAuth client ID page appears.

  3. Appication type: Select Web Application from the drop-down list.
  4. Name: Enter a name for your OAuth 2.0 client to identify the client in the Cloud console.
  5. Under Authorized redirect URIs, click +Add URI and enter the following:
    https://apigee.google.com/organizations/GOOGLE_CLOUD_PROJECT_NAME/integrations/callback/locations/AUTH_PROFILE_REGION
  6. Click Create.

    An OAuth 2.0 client ID is created successfully.

Create a new authentication profile

To create a new authentication profile, follow these steps:

  1. In the Apigee UI, select your Apigee Organization.
  2. Click Develop > Integrations.
  3. Select an existing integration for which you want to create the authentication profile.

    This opens the integration in the integration editor.

  4. In the integration editor toolbar, click (Manage Authentication Profiles).

    The Authentication Profiles page appears.

  5. Select a Region for the authentication profile using the drop-down menu in the Authentication Profiles page.
  6. Click Create and enter the following details:
    • Authentication profile name: Enter the name of the authentication profile to be displayed in the integration editor.
    • Authentication profile description: Enter a description for the authentication profile.
    • Authentication profile visibility: Select one of the following profile visibility options:
      • Visible to all the users in the client: The authentication profile created is available to all users in the organization.

      • Only visible to you: The authentication profile created is not visible to any other users in the organization.
    • Authentication type: Select the authentication type from the drop-down list and enter the required details. Based on your selection, the dialog displays additional fields required for the authentication credentials. You can select any of the following authentication types:
  7. Click Save.

After you save, the new authentication profile is available as an option in the Authorization profile to use drop-down of any task requiring authentication.

Optional. If you have not created an authentication profile prior to configuring an integration task, you can access the profile creation dialog by selecting + Add new authentication profile from the Authorization profile to use drop-down in the task configuration pane. Follow the preceding steps to create a new authentication profile.

Edit authentication profiles

To edit an authentication profile, follow these steps:

  1. In the Apigee UI, select your Apigee Organization.
  2. Click Develop > Integrations.
  3. Select an existing integration for which you want to create the authentication profile.

    This opens the integration in the integration editor.

  4. In the integration editor toolbar, click (Manage Authentication Profiles).

    The Authentication Profiles page appears.

  5. Select a Region for the authentication profile using the drop-down menu in the Authentication Profiles page.
  6. Click (Actions menu) and click Edit.

    The Authentication Profiles dialog appears.

  7. Edit the details and click Save.

Delete authentication profiles

To delete an authentication profile, follow these steps:

  1. In the Apigee UI, select your Apigee Organization.
  2. Click Develop > Integrations.
  3. Select an existing integration for which you want to create the authentication profile.

    This opens the integration in the integration editor.

  4. In the integration editor toolbar, click (Manage Authentication Profiles).

    The Authentication Profiles page appears.

  5. Select a Region for the authentication profile using the drop-down menu in the Authentication Profiles page.
  6. Click Delete.

Authentication types

The authentication type required to complete an integration task depends upon the authentication configured in the authorization server. The authorization server can be a standalone server or an API that issues credentials to the calling client. Apigee Integration supports the following authentication types:

The following sections describe the configuration properties of the authentication types.

Auth token

The Auth token authentication type uses a token (credentials) for authentication. The credentials are sent to the server in the HTTP Authorization request header in the Authorization: TYPE CREDENTIALS format. To configure this authentication type, set the following properties:
  • Type: Authentication type such as Basic, Bearer, or MAC.
  • Token: Credentials for the authentication type.

If the authentication server requires an SSL/TLS certificate, upload the certificate and the private key.

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

Google OIDC ID Token

The Google OIDC ID Token authentication type uses JSON Web Tokens (JWT) for authentication. The Google OpenID Connect (OIDC) provider, accounts.google.com, signs and issues these JWTs for authentication using a service account. To configure this authentication type, set the following properties:
  • Service account: Service account (principal) in your Google Cloud project with permission to access your API.
  • Audience: The audience for the OIDC token (this identifies the recipients that the JWT is intended for). For example, Trigger URL is the audience for the Cloud Function task.
To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

JSON Web Token (JWT)

The JWT authentication type uses JSON Web Token (JWT) for authentication. For more information about JWT, see RFC7519. To configure this authentication type, set the following properties:
  • JWT header: Algorithm used to generate the signature.

    Note: You can only specify the HS256 algorithm.

  • JWT payload: A set of claims. You can use registered, public, or custom claims.
  • Secret: Shared key between the client and the authentication server.

If the authentication server requires an SSL certificate, upload the certificate and the private key using the file picker. Enter the private key passphrase .

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

OAuth 2.0 authorization code

The OAuth 2.0 authorization code authentication type uses an OAuth 2.0 authorization token for authentication. To configure this authentication type, set the following properties:

  • Authentication endpoint: Endpoint to the application's authentication endpoint. You will be redirected to this URL to review the access permissions for the application. The token will only be generated after access is granted.
  • Token endpoint: Endpoint that grants or refreshes the access token.
  • Client ID: A unique string provided by the authentication server to the registered client. The Client ID is not a secret, and it is exposed to the resource owner. Use this field along with a client secret.
  • Secret: Shared secret key between the client (integration) and the authentication server.
  • Scope(s): Scope of the access token. Scopes let you specify access permissions for users. You can specify multiple scopes separated by a single space (" "). For more information, see OAuth 2.0 Scopes for Google APIs.

If the authentication server requires an SSL certificate, upload the certificate and the private key using the file picker. Enter the private key passphrase in the available field, if required.

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

OAuth 2.0 client credentials

The OAuth 2.0 client credentials authentication type uses an OAuth 2.0 authorization token for authentication. This authentication first requests an access token using the client credentials and then uses the token to access the protected resources. To configure this authentication type, set the following properties:

  • Token endpoint: Endpoint that grants or refreshes the access token.
  • Client ID: A unique string provided by the authentication server to the registered client. The Client ID is not a secret, and it is exposed to the resource owner. Use this field along with a client secret.
  • Secret: Shared secret key between the client (integration) and the authentication server.
  • Scope(s): Scope of the access token. Scopes let you specify access permissions for users. You can specify multiple scopes separated by a single space (" "). For more information, see OAuth 2.0 Scopes for Google APIs.
  • Request types: Mechanisms to send the request parameters to the authentication server for fetching the access token. You can specify any of the following request types:

    • Encoder header: Encodes the CLIENT ID and CLIENT SECRET in Base64 format and sends the encoded string in the HTTP authorization header. The remaining request parameters are sent in the HTTP request body.
    • Query parameters: Sends the request parameters in a query string.
    • Request body: Sends the request parameters by using the application/x-www-form-urlencoded content type and UTF-8 charset in the entity-body of the HTTP request.
    • Unspecified
  • Token parameters: Request parameters required to get the token. Specify the values in key-value format where Key is the parameter name and Value is the corresponding parameter value.

If the authentication server requires an SSL certificate, upload the certificate and the private key using the file picker. Enter the private key passphrase in the available field, if required.

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

OAuth 2.0 resource owner password credentials

The OAuth 2.0 resource owner password credentials authentication type uses an OAuth 2.0 authorization token for authentication. This authentication first requests an access token using the resource owner credentials (Username and Password) and then uses the token to access the protected resources. To configure this authentication type, set the following properties:

  • Token endpoint: Endpoint that grants or refreshes the access token.
  • Client ID: A unique string provided by the authentication server to the registered client. The Client ID is not a secret, and it is exposed to the resource owner. Use this field along with a client secret.
  • Secret: Shared secret key between the client (integration) and the authentication server.
  • Scope(s): Scope of the access token. Scopes let you specify access permissions for users. You can specify multiple scopes separated by a single space (" "). For more information, see OAuth 2.0 Scopes for Google APIs.
  • Username: Username of the resource owner.
  • Password: User password.
  • Request types: Mechanisms to send the request parameters to the authentication server for fetching the access token. You can specify any of the following request types:

    • Encoder header: Encodes the CLIENT ID and CLIENT SECRET in Base64 format and sends the encoded string in the HTTP authorization header. Sends the remaining request parameters in the HTTP request body.
    • Query parameters: Sends the request parameters in a query string.
    • Request body: Sends the request parameters by using the application/x-www-form-urlencoded content type and UTF-8 charset in the entity-body of the HTTP request.
  • Token parameters: Request parameters required to get the token. Specify the values in key-value format where Key is the parameter name and Value is the corresponding parameter value.

If the authentication server requires an SSL certificate, upload the certificate and the private key using the file picker. Enter the private key passphrase in the available field, if required.

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

SSL/TLS client certificate only

The SSL/TLS client certificate only authentication type uses only the SSL/TLS certificate for authentication. Upload the required certificate and the private key. To configure this authentication type, upload the following files:
  • SSL certificate: Certificate encoded in PEM format.
  • Private key: Certificate's private key file encoded in PEM format.

    If the private key requires a passphrase, enter the Private key passphrase.

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

Service account

The Service account authentication type uses the credentials of a Google Cloud project's service account for authentication. To configure this authentication type, set the following properties:

  • Service account: Service account (principal) in your Google Cloud project with permission to access your API.
  • Scope(s): Scope of the access permissions granted to users. You can specify multiple scopes separated by a single space (" "). For more information, see OAuth 2.0 Scopes for Google APIs.

To learn about best practices for creating and managing service accounts, read the Best practices for working with service accounts documentation.

If the authentication server requires an SSL certificate, upload the certificate and the private key using the file picker. Enter the private key passphrase in the available field, if required.

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

Compatibility of authentication types with tasks

The following table lists the authentication types and the corresponding compatible tasks. You can use this information to decide which authentication type to use for a task.

Authentication type Compatible tasks and triggers
Auth token
Google OIDC ID Token
JSON Web Token (JWT)
OAuth 2.0 authorization code
OAuth 2.0 client credentials
OAuth 2.0 resource owner password credentials
SSL/TLS client certificate only
Service account

Authentication rule

If your integration has both OAuth 2.0 profile and a user-managed service account configured, then by default the OAuth 2.0 profile is used for authentication. If neither OAuth 2.0 profile nor user-managed service account is configured, then the default service account (service-PROJECT_NUMBER@gcp-sa-apigee.iam.gserviceaccount.com) is used. If the task does not use the default service account then the execution fails.