This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Authentication required based on cookies

Posted on 10-27-2022 11:29 AM
priyanka9289
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a requirement to implement the proxy where I have to authenticate based on cookies. My client requirement has some values stored in cookies during runtime and in Apigee I have to authenticate based on that values in cookies. 

How can I implement this process, either with KVM or using cache ? 

If I use KVM , I need to use the batch process which will delete recurring KVM at specific interval. 

 

I appreciate your response/suggestions.

0 1 276
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Not sure.  You may be on the wrong track. 

First, cookies are a mechanism used in WEB SERVERS.  That's not what Apigee is designed to do.  Lots of people learn about Apigee and think "maybe I'll use Apigee as a proxy for web requests!" and that leads them to investigate how to handle Cookies in Apigee.  Apigee is not a web server. If you want a Web server, use Apache, or nginx or I dunno, something else. 

Now, there are some customers I've worked with  in which most of the APIs they run through Apigee are bonafide regular API calls - they use OAuth or API Keys or HMAC or JWT for authentication -  but along side those,  there are a few other calls that need something different, like Cookie-based authentication. This is a little like using a wrench to hammer a nail, but sometimes for other reasons, it's the right thing to do. The client is most often a web app or browser in this case.  

Assuming you're that kind of Apigee user, and not someone who is trying to do something unnatural with Apigee, like serve primarily web content through it, let's explore the question. 

"Authenticate based on cookies", to me, implies that the cookie presented in the request needs to be validated and checked. But since Apigee is not a web server, it does not natively have cookie generation capabilities!  Consequently, if you want Apigee to authenticate the cookie, the reasonable next question is "how?"  Apigee had nothing to do with setting the Cookie, so .. how is Apigee supposed to authenticate it ? 

If you're telling me that you've already configured Apigee to generate the cookie and set it (in a Set-Cookie response header), then.... I guess it's pretty straightforward. Every time Apigee generates a cookie and sends it back to a browser app, it should first store that Cookie in the KVM.  And you can do that with a KeyValueMapOperations policy using a Put Operation.  (Check the docs)

Then the "validating" of the cookie is just a matter of KVM Get.  

And if you want to have a period "cleaning" of the KVM, to clear out older cookies, that shouldn't be too hard to implement. 

That's the sort of thing a normal webserver would do automatically for you.  Like I said, Apigee is not a webserver; managing cookies is a little outside  the mainstream.

Good luck! 

 

0 Likes
Top Solution Authors
View all