Intro to OAuth2 Client Credentials in Apigee

Sure, you can do that. Really common. Usually people want to implement this kind of thing when Apigee is acting as an OAuth 2.0 mediation layer.
In this scenario, Apigee accepts and validates an Apigee-generated token, and then employs a token from some other issuer to invoke the upstream system. The best way to implement it - In the proxy, at token-generation time, before invoking OAuthV2/GenerateAccessToken, configure the Apigee proxy to invoke the /token endpoint on the 3rd party token dispensary to acquire the 3rd-party token. Then, in OAuthV2/GenerateAccessToken, attach that token as a hidden _attribute_ on the Apigee-generated token. Set the expiry on the Apigee-generated token to be synchronized with the 3rd-party generated token (or a few seconds shorter). And then eventually return the Apigee-generated token to the client app.
Then, later, when the client app presents the Apigee-generated token in subsequent API calls, the API proxy will validate that token and in that process, it will implicitly retrieve the 3rd-party generated token. And the proxy can then inject that token into the request that flows to the upstream.
When the Apigee-generated token expires, the client app will request a new token, and then you'd begin the cycle again.
Above I wrote "configure the Apigee proxy to invoke the /token endpoint on the 3rd party token dispensary to acquire that token". In case you are less familiar with Apigee, the way you'd do this is with AssignMessage (to form the outbound request-for-token message) and ServiceCallout (to send the request-for-token to the 3rd party endpoint).

My colleague, Miguel Mendoza, has produced a nice walkthrough of installing Apigee hybrid on GKE. th-cam.com/video/vmzbwTIYsog/w-d-xo.html. Check it out!

Hi, I've been away on holiday. This seems like a good question for the Apigee community forum www.googlecloudcommunity.com/gc/Apigee/bd-p/cloud-apigee .
For my part, I can configure a Product to support "READ,WRITE" scope. Then GenerateAccessToken with READ scope, or WRITE scope. Then, at time of VerifyAccessToken, it works as expected. If the VerifyAccessToken policy requires a READ scope and the token includes READ scope, it works. If the VerifyAccessToken policy requires a READ scope and the token does not include READ scope, the verify fails as expected. And likewise for WRITE scope.
So maybe there is a problem in your policies. But anyway this is better covered in a forum, where you can show configuration and I can suggest changes, or provide examples of my own. Please ask there.

oh I see you've already asked this question in the community. www.googlecloudcommunity.com/gc/Apigee/Issue-with-Oauth-2-token-generation-with-scopes-in-apigee-x/m-p/504774#M73411
I've answered there. Good luck!

Hi - can you explain what you mean by "external Auth2" ? Maybe elaborate a little more on what you're thinking.

@@dinochiesa1860 for example Microsoft IDP Azure

I'd be glad to try to help out, but I'd need more information from you. Apigee acts as an HTTP proxy, which means you could configure Apigee as an OAuth 1.0a receiver (northbound) or an OAuth1.0a client (southbound). So can you explain what you mean? Maybe provide more than 5 or 6 words. A few sentences would be helpful.

@@mounikaduduka8473 Hi, I'm not sure what offset and limit have to do with the problem. Oauth1.0a is tricky to get right. I suggest you try this online tool for creating the signatures at the various stages: dinochiesa.github.io/oauth1.0a/. Good luck!

@@mounikaduduka8473 I am sorry you are still having difficulty. As I said, Oauth1.0a signatures can be tricky to get right. I suggested the website to help you create and verify signatures. Then you replied with "let me know the online tool." So I'm not sure you're reading and understanding what I am writing. Good luck working through this. Keep at it, you'll figure it out.