You can use Apigee API BaaS as a user account data store behind Apigee Edge proxies. If your application combines Edge with API BaaS, (which both include support for OAuth2), you can use features of each to support OAuth across the application.
This article describes one way to combine Edge and API BaaS features to register and authenticate users. You can collect and store user account information, then use that information when generating a single Edge-generated OAuth2 access token that embeds a token representing the user at the backend.
This article is the first in a series that suggests one way to implement a complementary relationship between the two products. This article describes how to implement the most permissive category of requests -- those available to anonymous users -- where "authentication" requires merely a valid API key. Other articles in this series describe implementing more restrictive kinds of access.
Note: This article is one in a series that uses the StreetCarts sample application to illustrate implementing authentication and authorization where Apigee Edge and Apigee API BaaS are combined in a single application. The series includes Authentication and authorization with Apigee Edge and API BaaS, Implementing authorization across Edge and API BaaS, and Updating API BaaS permissions at runtime. By @Floyd Jones, @Steve Traut, @wwitman.
When you want to protect backend resources so that only certain users can access them, you can require users to authenticate before making requests. Before authenticating, you'll need to get them registered.
In StreetCarts, most verb/endpoint pairs represent access to resources that should be protected. For example, it wouldn't do to allow just anyone to delete a food cart or add new menu items.
To make any request other than a GET, a user must create an account. Any resource can be protected so that only certain users can perform certain actions with it -- as long as the app knows who the user is.
Here's how user registration works:
registerUser
function verifies that required data was included.registerUser
function in data-manager.js POSTs a new user account to the API BaaS /users endpoint.registerUser
function adds the user to either a Members or Owners user group , depending on whether the original request specified that the user is a food cart owner.
Registered users can authenticate to get access to protected resources. For example, in StreetCarts a food cart owner can make a request to
POST /foodcarts
to create a food
cart, or a
DELETE /foodcarts/:cartID
request to remove it. Both of these actions are allowed only for registered owners.
In StreetCarts, a registered user must provide a valid username and password to log in. Edge asks the data-manager proxy to validate these credentials with the identity provider, which is the API BaaS data store. If the username and password are valid, they are exchanged for an OAuth2 access token, which is sent back to the client app. From there, the app can make protected API calls on behalf of the user. That means that application logic sends the username and password from the client back to the data store to validate, then generates an access token if validation is successful.
Here's how StreetCarts does authentication for registered users:
authenticateUser
function uses the API BaaS /token endpoint to authenticate at the backend, generating an API BaaS OAuth2 token.authenticateUser
function retrieves from API BaaS the list of user groups in which the user is a member. <Scope>
element so they're included in the access token. The BaaS-generated access token is also copied
into the Edge-generated access token as a custom attribute
for use in later requests to API BaaS. Note that authentication is a two-part process. In the end, the access token generated in an Edge proxy includes another access token generated by API BaaS. By using an API BaaS-generated access later returned by a client, StreetCarts can lean on the BaaS permissions framework for authorizing access to specific resources. For more, see "Authorize for each verb/resource pair using API BaaS permissions".