OAuth 2.0: Configuring a new API proxy

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

The client credentials grant type defines a procedure for issuing access tokens in exchange for app credentials. These app credentials are the consumer key and secret pair that Apigee issues for each app that is registered in an organization. For more details, see Implementing the authorization code grant type.

Add OAuth v2.0 to a new API proxy

You can add OAuth verification to an API when you create a new API proxy in the Apigee UI.

To add OAuth verification to an API:

Apigee in Cloud console

  1. In the Google Cloud console, go to the Proxy development > API proxies page.

    Go to API proxies

  2. Select your organization from the project picker in the Google Cloud pane. The organization name is the same as your Google Cloud project name.
  3. In the API Proxies pane, click + Create.
  4. In the Create a proxy pane, under Proxy template, select Reverse proxy (most common).
  5. Configure the proxy with the following:
    Name Value
    Proxy Name helloworld_oauth2
    Base Path

    /hellooauth2

    The Project Base Path is part of the URL used to make requests to the API proxy.
    Description hello world protected by OAuth v2.0
    Target (Existing API)

    https://mocktarget.apigee.net/ip

    This defines the target URL that Apigee invokes on a request to the API proxy. This target just returns a simple response: Hello, Guest!.
  6. Click Next.
  7. Deploy (optional):
    • Deployment environments: Optional. Use the checkboxes to select one or more environments in which to deploy your proxy. If you prefer not to deploy the proxy at this point, leave the Deployment environments field empty. You can always deploy the proxy later.
    • Service Account: Optional. Attach a service account to your deployment to enable your proxy to access Google Cloud services, as specified in the service account's role and permissions.
  8. Click Create.
  9. In the Proxy summary pane for the helloworld_apikey proxy, click the Develop tab.
  10. In the Policies menu, click Add policy.
  11. In the Create policy pane, under Security, select Verify API Key.
  12. In the Verify API Key pane, complete the required fields in the Name and Display name sections using the following values:
    • Name: Enter a policy name. For example, VerifyAPIKey.
    • Display name: Enter policy name for use in the UI. For example, Verify API Key.
  13. Click Create.
  14. Click to add another policy.
  15. In the Create policy pane, under Mediation, select Assign Message.
  16. In the Assign Message pane, complete the required fields in the Name and Display name sections using the following values:
    • Name: Enter a policy name. For example, AssignMessage.
    • Display name: Enter policy name for use in the UI. For example, Assign Message.
  17. Click Create.

  18. Update the contents of the Assign Message policy to the following:

    
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="remove-header-authorization">
    <DisplayName>Remove Header Authorization</DisplayName>
    <Remove>
        <Headers>
            <Header name="Authorization"/>
        </Headers>
    </Remove>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>
  19. Add the VerifyApiKey and Remove Header Authorization policies.
    1. In the Proxy endpoints menu, click Preflow.
    2. In the Request pane of the visual editor, click Add policy step.
    3. In the Add policy step pane, select Verify API Key.
    4. Click Add.
    5. In the Request pane of the visual editor, click Add policy step.
    6. In the Add policy step pane, select Remove Header Authorization.
    7. Click Add.
  20. Click Save.

Classic UI

  1. Sign in to Apigee UI.
  2. Select Develop > API Proxies in the left navigation bar.
  3. Click + Proxy
  4. Use the Create Proxy wizard to create a Reverse proxy. See Build a simple API proxy.
  5. On the Common policies page of the wizard, select the radio button next to OAuth v2.0.
1 newly created API proxy, one to verify access tokens and another to strip the access token after it has been verified.

Note that the Publish API Product checkbox becomes selectable and is automatically selected. Check this if you want to automatically generate a product when you build the new API proxy. The autogenerated product will be created with an association to the new API proxy. If you have an existing product with which you want to associate this new API, be sure to clear this checkbox so that you don't create an unnecessary product. For information about products, see What is an API product?