Hello @lawrencenelson
I have proxy deployed on apigee edge and I am usng apikey and Oauth v2 with client credetials. And I want to mandate this two authorization mechanism for all consumers expect one. So how can I bypass verify Oauth policy. So that he can get the success response by using only apikey.
Solved! Go to Solution.
Hello @snehaspatil ,
Unfortunately you added in wrong place. The condition should not be there inside your policy. It should be there in the proxy PreFlow request
<PreFlow name="PreFlow">
<Request>
<Step>
<Condition>verifyapikey.Verify-API-Key-1.RequiredOAuth != "false"</Condition>
<Name>Verify-OAuth-Token</Name>
</Step>
</Request>
<Response/>
</PreFlow>
This will be conditionally execute the policy. You can find detailed documentation here
Hi @snehaspatil
Please add custom variable in the developer app for the consumers whom you needs to exclude OAuth.
Add one custom variable like,
key: RequiredOAuth
value: false
and your verify API key will populate this custom variable in the proxy execution flow if its from valid client. Do validation in for the OAuth validation to skip in case if it from these consumers,
<Condition>verifyapikey.Verify-API-Key-1.RequiredOAuth != "false"</Condition>
<Name>ValidateOAuthToken</Name>
Hello @chrismca73
Thanks for your response. Actaully apikey validation we aredoing globally for all proxies. Not at proxy level. And do you suggest to add condition at preflow?
Hello @snehaspatil
Even if you're having APIkey validation through Shared Flows or Flow hooks, there also this particular condition will work. Just make sure you're validating against correct custom attribute
verifyapi.POLICY-NAME.Custom-Attribute-Name
Good luck 🙂
Hello @chrismca73
<OAuthV2 async="false" continueOnError="false" enabled="true" name="Verify-OAuth-Token">
<Operation>VerifyAccessToken</Operation>
<DisplayName>Verify OAuth Token</DisplayName>
<Properties/>
<Scope>xyz</Scope>
<ExternalAuthorization>false</ExternalAuthorization>
<!-- Condition to check if OAuth validation is required -->
<Condition>verifyapikey.Verify-OAuth-Token.RequiredOAuth != "false"</Condition>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="response"/>
</OAuthV2>
This is how my policy looks. I have added condition here. It's not working
Hello @snehaspatil ,
Unfortunately you added in wrong place. The condition should not be there inside your policy. It should be there in the proxy PreFlow request
<PreFlow name="PreFlow">
<Request>
<Step>
<Condition>verifyapikey.Verify-API-Key-1.RequiredOAuth != "false"</Condition>
<Name>Verify-OAuth-Token</Name>
</Step>
</Request>
<Response/>
</PreFlow>
This will be conditionally execute the policy. You can find detailed documentation here
<Step>
<Name>OA-VerifyAccessToken</Name>
<Condition>(request.verb != "OPTIONS") and (verifyapikey.OA-VerifyAccessToken.RequiredOAuth != "false")</Condition>
</Step>
I did the changes in preflow now, but its not working. Are you sure about this syntax verifyapikey.OA-VerifyAccessToken.RequiredOAuth != "false". Oauth token is going in header as bearer token. with key Authorization
Yes for me it's working. Have you added custom attribute in your developer app for this particular consumer?
RequiredOAuth is custom attribute, try adding it in developer app. Doc
I have added.
@snehaspatil wrote:
And I want to mandate this two authorization mechanism for all consumers expect one. So how can I bypass verify Oauth policy. So that he can get the success response by using only apikey.
I think the approach you are following is not correct. It does not make sense to have BOTH APIKey and OAuth token credentials. choose one or the other.
Apigee dispenses an token in exchange for client credentials, which includes an API Key. Therefore the token derives from the key. There is no need to send the key along with the token. The token provides all the information that the key provides, and more.
If you want to have the flexibility to apply EITHER APIKey OR OAuth token, then you can conditionally check for each one. For example
Hello @dchiesa1 ,
Actually the use case is like, my proxy have both apikey and oauth v2. All consumers need to be authenticated with both the authentication mechanism. In Oauth I am using client-credentials asa grant type and passing generated token as Bearer in header. And one of the consumer need to be authenicated with apikey only. That is we need to bypass that consumer.
@snehaspatil wrote:
Actually the use case is like, my proxy have both apikey and oauth v2. All consumers need to be authenticated with both the authentication mechanism.
Yes I understand. And I'm telling you, that approach is not correct. You should use ONE or the OTHER. Use APIKEY OR Token. Not both. There's no need to use APIKey if you have a token; the token is derived from the API Key. There's no need to have both!
@snehaspatil wrote:
In Oauth I am using client-credentials asa grant type and passing generated token as Bearer in header. And one of the consumer need to be authenicated with apikey only. That is we need to bypass that consumer.
All of that makes sense. For apps that need OAuth, check for the token and validate it. Otherwise check for the API key and verify THAT. You don't need to use both, and it should be an error if both are passed.
Ok, Thank you @dchiesa1