Solved: Bypass oauthv2 for few consumer

snehaspatil · 03-18-2024 10:21 PM

Hello @lawrencenelson
I have proxy deployed on apigee edge and I am usng apikey and Oauth v2 with client credetials. And I want to mandate this two authorization mechanism for all consumers expect one. So how can I bypass verify Oauth policy. So that he can get the success response by using only apikey.

chrismca73

Hello @snehaspatil ,

Unfortunately you added in wrong place. The condition should not be there inside your policy. It should be there in the proxy PreFlow request

<PreFlow name="PreFlow">
        <Request>
            <Step>
                <Condition>verifyapikey.Verify-API-Key-1.RequiredOAuth != "false"</Condition>
                <Name>Verify-OAuth-Token</Name>
            </Step>
        </Request>
        <Response/>
    </PreFlow>

This will be conditionally execute the policy. You can find detailed documentation here

View solution in original post

chrismca73

Hi @snehaspatil

Please add custom variable in the developer app for the consumers whom you needs to exclude OAuth.

Add one custom variable like,

key: RequiredOAuth
value: false

and your verify API key will populate this custom variable in the proxy execution flow if its from valid client. Do validation in for the OAuth validation to skip in case if it from these consumers,

<Condition>verifyapikey.Verify-API-Key-1.RequiredOAuth != "false"</Condition>
<Name>ValidateOAuthToken</Name>

snehaspatil

Hello @chrismca73
Thanks for your response. Actaully apikey validation we aredoing globally for all proxies. Not at proxy level. And do you suggest to add condition at preflow?

chrismca73

Hello @snehaspatil

Even if you're having APIkey validation through Shared Flows or Flow hooks, there also this particular condition will work. Just make sure you're validating against correct custom attribute

verifyapi.POLICY-NAME.Custom-Attribute-Name

Good luck 🙂

snehaspatil

Hello @chrismca73

<OAuthV2 async="false" continueOnError="false" enabled="true" name="Verify-OAuth-Token">
<Operation>VerifyAccessToken</Operation>
<DisplayName>Verify OAuth Token</DisplayName>
<Properties/>
<Scope>xyz</Scope>
<ExternalAuthorization>false</ExternalAuthorization>

<Condition>verifyapikey.Verify-OAuth-Token.RequiredOAuth != "false"</Condition>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="response"/>
</OAuthV2>

This is how my policy looks. I have added condition here. It's not working

chrismca73

Hello @snehaspatil ,

Unfortunately you added in wrong place. The condition should not be there inside your policy. It should be there in the proxy PreFlow request

<PreFlow name="PreFlow">
        <Request>
            <Step>
                <Condition>verifyapikey.Verify-API-Key-1.RequiredOAuth != "false"</Condition>
                <Name>Verify-OAuth-Token</Name>
            </Step>
        </Request>
        <Response/>
    </PreFlow>

This will be conditionally execute the policy. You can find detailed documentation here

snehaspatil

<Step>
<Name>OA-VerifyAccessToken</Name>
<Condition>(request.verb != "OPTIONS") and (verifyapikey.OA-VerifyAccessToken.RequiredOAuth != "false")</Condition>
</Step>

I did the changes in preflow now, but its not working. Are you sure about this syntax verifyapikey.OA-VerifyAccessToken.RequiredOAuth != "false". Oauth token is going in header as bearer token. with key Authorization

chrismca73

Yes for me it's working. Have you added custom attribute in your developer app for this particular consumer?

RequiredOAuth is custom attribute, try adding it in developer app. Doc

snehaspatil

I have added.

dchiesa1

@snehaspatil wrote:

And I want to mandate this two authorization mechanism for all consumers expect one. So how can I bypass verify Oauth policy. So that he can get the success response by using only apikey.

I think the approach you are following is not correct. It does not make sense to have BOTH APIKey and OAuth token credentials. choose one or the other.

Apigee dispenses an token in exchange for client credentials, which includes an API Key. Therefore the token derives from the key. There is no need to send the key along with the token. The token provides all the information that the key provides, and more.

If you want to have the flexibility to apply EITHER APIKey OR OAuth token, then you can conditionally check for each one. For example

check for presence of APIKey header. If present, then VerifyAPIKey
if no API key then execute OAuthV2-VerifyAccessToken. If a key has been passed and a token as well, throw a fault 400, Bad Request.
If either fails, then reject (401)
If either succeeds, then check a custom attribute on the product, and insure that the product is enabled for VerifyAPIKey if the request used APIKEy, or that the product is enabled for token, if the request used a bearer token.
in no case should a client be forced to pass BOTH a token and a key.

snehaspatil

Hello @dchiesa1 ,
Actually the use case is like, my proxy have both apikey and oauth v2. All consumers need to be authenticated with both the authentication mechanism. In Oauth I am using client-credentials asa grant type and passing generated token as Bearer in header. And one of the consumer need to be authenicated with apikey only. That is we need to bypass that consumer.

dchiesa1

@snehaspatil wrote:

Actually the use case is like, my proxy have both apikey and oauth v2. All consumers need to be authenticated with both the authentication mechanism.

Yes I understand. And I'm telling you, that approach is not correct. You should use ONE or the OTHER. Use APIKEY OR Token. Not both. There's no need to use APIKey if you have a token; the token is derived from the API Key. There's no need to have both!

@snehaspatil wrote:

In Oauth I am using client-credentials asa grant type and passing generated token as Bearer in header. And one of the consumer need to be authenicated with apikey only. That is we need to bypass that consumer.

All of that makes sense. For apps that need OAuth, check for the token and validate it. Otherwise check for the API key and verify THAT. You don't need to use both, and it should be an error if both are passed.

snehaspatil

Ok, Thank you @dchiesa1