{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Edge/API Management /
avatar image
8

Making sense of API Product configuration  

  • Export to PDF
Will Witman created · Feb 24, 2017 at 02:42 PM · 7.4k Views · edited · Feb 24, 2017 at 02:43 PM

An Apigee Edge API Product lets you restrict access to proxy resources based on some combination of proxies and resource paths. When you add a Product to a Developer App, you can use the keys generated for that App to enforce this restricted access.

When you create a Product, Edge lets you specify zero or more proxies and zero or more resource paths to define the "restrictions" you wish to achieve.

But wait, what does it mean if you do not specify any proxies? Or, if you don't specify any resource paths? Or, for that matter, if you omit both? This is a frequent source of confusion for Edge developers!

API Products 101

Here's a common Product setup. Let's say you have a proxy called StreetCarts, which lets you find information about local food carts. The basepath of this proxy is /streetcarts.

Now, let's say you want to allow access only to certain resources that the proxy knows about. You can do this by adding both the proxy and the resources you wish to allow to an API Product. For example, here's what the Product UI would look like, where the resource paths /reviews, /carts, and /menus are listed and the proxy StreetCarts is specified:



Using an API key from a Developer App associated with this Product, the following call will succeed (assuming ABCD is a valid key and the VerifyApiKey proxy is used in the proxy). It succeeds because the basepath of the StreetCarts proxy is /streetcarts and both the proxy and the resource path /carts are in the Product:

GET /streetcarts/carts?apikey=ABCD


But this will fail, because the resource path /users is not in the Product:

GET /streetcarts/users?apikey=ABCD


This also fails, because the basepath of the proxy StreetCarts is not /foodcarts:

GET /foodcarts/carts?apikey=ABCD


The following path fails as well since the basepath by itself is not allowed in the above configuration. If, however, you do want to allow the basepath, one option would be to add "/" to the list of resources in the product, which (by default) allows the basepath and all subpaths to go through.

GET /streetcarts?apikey=ABCD 


To learn more about how to allow or exclude resources based on wildcards, see Configuring the behavior of a Resource Path of '/', '/*', and '/**'.


Be careful when omitting proxies and/or resource paths

Now, what happens if you omit proxies and/or resources from the Product? You need to be aware of potential risks with these kinds of setups!

When you specify resource paths but omit proxies

If you include paths in the Product, but do not specify any proxies, then keys associated with the Product will work for ANY proxy; however, requests will only succeed for the given paths. Consider the following configuration:



Given this setup, this hypothetical call will succeed:

GET /basepath_A/accounts?apikey=ABCD


And so will this!

GET /basepath_B/accounts?apikey=ABCD


The basepaths don't matter, because no proxies are specified in the Product. So, any proxy basepath will be a potential match for the given key. However, proxy requests will only succeed if a valid resource path is given. For example, this call will fail because /carts is not specified in the Product.

GET /streetcarts/carts?apikey=ABCD


When you specify proxies but omit resource paths

If you specify one or more proxies, but no resource paths, then your API key will work with ALL RESOURCE PATHS in the specified proxy(s), including just the basepath.


The following API call will succeed:

GET /streetcarts/carts?apikey=ABCD


The following call will also succeed because all paths, including the basepath, for the StreetCarts proxy are allowed:

GET /streetcarts?apikey=ABDC 


However, this will fail, because the basepath for the specified proxy (StreetCarts) is /streetcarts, not /foodcarts:

GET /foodcarts/carts?apikey=ABCD


No proxies, no resources: Beware the skeleton key option!

A skeleton key is a key that opens any lock in your house. If you create a product with NO proxies and NO paths, then the key associated with that product can be used with ANY key-protected proxy in your org. In the UI, such a configuration would look like this:



This option may be useful for testing, or for very specific use cases. But be sure you understand the effect of creating a Product with no proxies or paths. Skeleton key!

You can read more about creating products in the Edge documentation.

thub.nodes.view.add-new-comment
securityapi productapi productsapikeysapi-products
Add comment Show 6
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image terrancedavid · Aug 11, 2017 at 10:01 PM 0
Link

@wwitman

@dino

@Ricardo

@support

What is the effect of the "revisions" choice when using the "import resource" type of proxy/resourcePath entry?

Also, will selecting the latest revision allow the authority to automatically update when a new revision of an imported resource is created?

avatar image Mike Dunker @Google ♦♦ terrancedavid   · Sep 06, 2018 at 08:57 PM 0
Link

Revisions are just used to provide the resource path dropdown list when you use the "Import Resource" functionality. They are not saved as part of the product. @wwitman - maybe add a section about the Import Resource box?

avatar image Will Witman ♦♦ Mike Dunker @Google ♦♦ · Sep 07, 2018 at 07:30 PM 0
Link

Thanks, @Mike Dunker -- I'll update the doc to make sure this is clear.

avatar image Mike Dunker @Google ♦♦   · May 17, 2018 at 05:36 AM 0
Link

Great article, Will!

avatar image Maivizhi A · Sep 11, 2018 at 07:51 AM 0
Link

@wwitman @Mike Dunker

Who do i specify the resource for below scenario?

Proxy 1 (StreetCarts)- Access to all resource path (/**)

Proxy 2 (foodcarts)- Access to specific resource path (/carts)

avatar image Mike Dunker @Google ♦♦ Maivizhi A   · Oct 30, 2018 at 12:05 AM 0
Link

Hi @Maivizhi A -- sorry for the very late response. That is a quirk of products -- unfortunately the proxy and resource paths are two separate lists. Even though you think you can specify them together using the UI, there is no connection between the two. That means that specifying /** would give that wildcard (full) access to any of the specified proxies.

Article

Contributors

avatar image

Follow this article

61 People are following this .

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Navigation

Making sense of API Product configuration

Related Articles

Known Issue: Two-way SSL to target server handshake failure due to property defined in HTTPTargetConnection

Using Apigee Edge with OpenID Connect

Contacting Support for CNAME or virtual host changes and whitelist IPs

Integrating the Curity OAuth server with Apigee Edge

Apigee as a SAML Identity Provider

Apigee and Cloud KMS for FIPS 140-2 compliant cryptography

How do I make Salesforce APIs more consumable with Apigee?

Apigee Southbound Connectivity Patterns

Storing credentials,sensitive config - KVM v/s Vault

Apigee 4MV4D - Programming of APIs - Series - API Product - S01E09

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Badges