NOTE: Some aspects of this product are in Beta. The hybrid installation options are GA. To join the Beta program, reach out to your Apigee representative.

Understanding OAuth endpoints

To do its job as an OAuth2 authorization server, Apigee needs to expose endpoints where clients can request tokens and auth codes. This topic offers a quick introduction to these endpoints, and shows you how to set them up in Apigee.

What is an OAuth2 endpoint?

An OAuth2 endpoint is a URL that clients call to request OAuth tokens (or auth codes). Here's an example request for an access token:

$ curl -i -H "ContentType: x-www-form-urlencoded" \
-X POST "https://apitest.acme.com/oauth/client_credential/accesstoken" \
-d "grant_type=client_credentials" \
-H "Authorization: Basic c3FIOG9vSGV4VHo4QzAySVg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ"

You need an OAuthV2 policy to process this request. As you can infer from the above example request, the policy must support the "client credentials" grant type, and execute on the path /oauth/client_credentials/accesstoken.

This is a sample OAuthV2 policy that is configured to accept the client_credentials grant type. For information on optional configuration elements that you can configure with this policy, see OAuthV2 policy.

<OAuthV2 name="GenerateAccessToken">
    <Operation>GenerateAccessToken</Operation>
    <ExpiresIn>1800000</ExpiresIn> <!-- 30 minutes -->
    <SupportedGrantTypes>
      <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GenerateResponse enabled="true"/>
</OAuthV2>

Here's a sample endpoint configuration for generating an access token. It'll execute the GenerateAccessToken policy, which must be configured to support the client_credentials grant type.

...
       <Flow name="generate-access-token">
            <Request>
                <Step>
                    <Name>GenerateAccessToken</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "POST")</Condition>
        </Flow>
...

If the client provides the correct credentials, the policy generates and returns a token; otherwise, it returns an error.

Related topics

For detailed information on all of the supported grant types and sample code, see Requesting access tokens and authorization codes