Flow variable options for rate limiting when both ...

spsec · 10-01-2021 04:28 AM

We have a situation where a proxy will need to support both key or oauth for authentication. Not a great situation, we realize. For the external vendor utilizing key auth, they will have a restricted set of resources available to them. We still will be using rate limiting and were wondering if there was a way to have only one set of quota and spike arrest policies. Generally, we've used flow variables that were associated with the type of auth policy, but as there's two different authentication schemes, does this mean that we will have to use alternate rate limit policies for the two scenarios? I saw the warnings against using the vars which I would be inclined to leverage:

Note: Apigee recommends that you do not use the following variables for the quota identifier:

developer.id
developer.app.id
company.id

The reason for avoiding the use of these variables is that these IDs are generated internally by Apigee and are not guaranteed to stay the same over time. Apigee could change the format or length of these IDs, for example.

dchiesa1

If you are using Apigee X or hybrid, there is a new option in the quota policy: UseQuotaConfigInAPIProduct.

This should allow you to use the same quota policy whether you use VerifyAPIKey or VerifyAccessToken.

Also - regarding that warning. I don't really like the wording of the warning, and I think it's misleading.

The warning should say: the format of these IDs is not a defined part of Apigee's interface. So you should not depend on that format remaining stable over time. You can use them as part of the quota identifier to distinguish between one developer, or one app and another.

I will discuss with the documentation team to see if we want to adjust and clarify that warning text.

Flow variable options for rate limiting when both oauth or key auth are used.