Using Apigee as auth store alternative to Auth0

stephenstoelinga14 · June 18, 2019, 1:10pm

Background

I’m looking into securing a selection of APIs for a client. I’m pretty familiar with the Auth0 offering and quite confident that it will serve me well as an auth provider.

The APIs will be deployed on GCP (Google Cloud Platform) and I’ve been looking into using Apigee mcdvoice to manage the life cycle of my APIs.

Question

Does Apigee offer an auth store for users similar to what Auth0 offers or is Apigee’s OAuth implementation limited to application level authentication using Consumer Key and Consumer Secret as described here?

stephenstoelinga14 · June 21, 2019, 12:57pm

Apigee OAuth implementation is not limited to Consumer Key/Secret (client credentials grant) but you also can implement different OAuth grant types. Apigee can generate/validate JWT and it’s own opaque tokens.

The problem is that Apigee does not provide Identity Provider (IdP) service, it means that it does not have a store for user credentials. You may utilize Apigee’s BaaS (Backend-as-a-Service) to store users or integrate Apigee with other IdPs, but there’s no built-in solution to authenticate users.

sam.julien · June 24, 2019, 5:50pm

Hi @stephenstoelinga14! Thanks so much for being part of the community and for your confidence in Auth0.

We are actually in the process of working through our official guidance on API gateways, including Apigee specifically. In fact, I’ll be bringing this post of yours into the discussion.

I don’t have a solid ETA on this yet, but I am happy to keep you in the loop via this thread.

Thanks again for being part of the community!

sam.julien · August 5, 2019, 4:12pm

Hello again @stephenstoelinga14!

I’ve been doing a ton of training on Apigee Edge to get up to speed on this for our customers and wanted to pop in again. You are correct that, while Apigee supports the four different OAuth flows, it is limited to the ability to generate and verify tokens and add them to requests. There is no user store.

We’re still working on our Official Guidance on best practices for integration of Auth0 and Apigee, but they do complement each other nicely. Essentially, you’ll first authenticate with Auth0. Then, you can either generate the token with Auth0 or with Apigee and use Apigee to add it to the header of the API request.

One of our employees posted this example on the Apigee Community Forum along with some sample code that should help you until we finish hammering out our official best practices:

https://community.apigee.com/articles/42269/auth0-with-apigee.html

Hope that helps. I’ll keep you posted as things develop.

Cheers,
Sam Julien