This pageapplies toApigee andApigee hybrid.

View Apigee Edge documentation.

Using third-party OAuth tokens

SeeUsing third-party OAuth tokens.

Designating multiple redirect URIs

When using the authorization code grant type, you must specify a redirect URI when you register your developer app. The redirect URI specifies the URI of an app that is designated to receive an authorization code on behalf of the client app. The client is required to send this URI to Apigee when requesting authorization codes and tokens, and theredirect_uri parameter must match the one that is registered. See alsoGet OAuth 2.0 tokens.

For example:

https://mydomain.com/authorize?\client_id=123456&\response_type=code&\redirect_uri=https%3A%2F%2Fmydomain.com%2Fcallback&scope=scope1%20scope2&state=abc

There is a use case for specifying multiple redirect URIs in a single proxy application. For example, you may want to authenticate for multiple domains. For instance:

• https://mydomain.com/callback
• https://mydomain.uk/callback
• https://mydomain.ja/callback

To specify multiple redirect URIs in the developer app, add them as a comma-separated listin theCallback URL field in the developer app UI. For example:

https://mydomain.com/callback,https://mydomain.uk/callback,https://mydomain.ja/callback

Note that the/authorize request must only carryone URI in theredirect_uri parameter.As long as the redirect URI matches one of the URIs specified in theCallback URL field in developer app UI,the request will succeed.

Changing the default return behavior of a GenerateAuthCode operation

By default, the GenerateAuthCode operation of theOAuthv2 policy returns a302 redirect to the redirect URI with a?code query parameter containing the authorization code.

In some cases, you may want to change this behavior. For example, you may want to return a200 response with structured JSON containing the code.

One way to accomplish this use case is to set the OAuthV2 policy'sGenerateResponse property tofalse. Use theExtractVariable policy to get the value of the authorization code from the variableoauthv2authcode.{policy_name}.code. Then, you can use theAssignMessage policy to return the code in a JSON payload with a status of 200.

Auditing app end user consent

You may be required to verify that an app end user authorized an app. You can use the Apigee Audit API to do so.

Outbound OAuth sample

See theoutbound-oauth sample in the Apigee api-platform-samples repository on GitHub. You can clone the sample, deploy it, and run it. This sample uses the Microsoft Azure translator API to translate tweets. To do so, it makes an outbound call to obtain an OAuth access token, and then caches the token using the API Services caching policies, reusing the cached token each time an outbound call is made. Also, includes a demonstration browser app used to invoke the API proxy.