Configuring an OAuth flow in Apigee (optional)
Before you begin
You must add an API proxy in Apigee.
About this task
This task only applies if you want to add OAuth authentication to the API proxy in Apigee. If you don’t want to add an OAuth flow, proceed to Attaching the PingAuthorize Shared Flow to API proxies.
These steps reference the Apigee Edge documentation. As you proceed, use values that correspond to you and your Apigee environment instead of the suggested example values. If needed, consult the Apigee X documentation. |
Steps
-
Create an API product:
-
Optional: Add scopes to the Allowed OAuth scopes field.
-
-
Create a developer and an app.
You can ignore the steps referring to the Key and Secret.
-
Create an API proxy to generate an access token:
-
Go to API Proxies → Create Proxy and click the No target tile.
-
On the Proxy details page, enter
/token
in the Base path field. -
On the Common policies page, click Pass through (no authorization).
You will configure the OAuth authentication in another step.
-
-
Add the OAuth policy to the token proxy:
-
In the Policies list on the Develop tab of the token proxy, click the icon to add a policy.
-
In the Security section, select the OAuthV2 policy.
-
In the policy editor panel, add and define at least one custom attribute for your access token using the
<Attribute>
element inside of the<Attributes>
element.Example:
You must use one of the custom attributes added in this step to provide a value to the
sub
attribute in the PingAuth Shared Flow. The following example specifies theusername
attribute, but you can specify any custom attribute defined in this step.
-
-
Map a custom attribute value to the value of the
sub
attribute:-
Open the PingAuth Shared Flow in Apigee.
-
In the Resources list, select the
Prepare-Request.js
file. -
Uncomment this line:
validated_access_token_values["sub"] = context.getVariable('accesstoken.{custom_attribute}')
-
Replace
{custom_attribute}
with the value of a previously defined custom attribute.Example:
-
-
Configure Apigee to validate the access token:
-
Read the
oauth_flow/Readme
document in the Ping Identity GitLab repository. -
Download the
VerifyAccessToken
andGetOAuthInfo
files. -
In the API proxy hosting the PingAuth Shared Flow, add GetOAuthv2Info and VerifyAccessToken as policies.
-
Select PreFlow in the Proxy Endpoints list.
-
In the policy editor, before the PingAuth Shared Flow call, add a step for the GetOAuthv2Info policy.
-
In the policy editor, before the GetOAuthv2Info policy call, add a step for the VerifyAccessToken policy.
After configuration, the API proxy should look like the following:
-
Result
Apigee issues and verifies the OAuth access token before launching the API proxy flow containing the PingAuth Shared Flow. The PingAuth Shared Flow is configured to pass the access token, when present, in the payload of the sideband request to PingAuthorize.
Passing the access token to the sideband endpoint using the request payload takes precedence over passing the token using the authorization header. |