Solved: CICD pipeline Proxy deployment by using Oauth toke...

venujuly30 · 09-01-2020 08:09 AM

Machine user can be used in CICD pipeline using generated Oauth/SAML tokens. I have following questions ,

1.Please confirm whether Oauth/SAML tokens will be authenticated and validated at APIGEE Edge(SP) or with external identity provider?

2.Can we validate Machine users authenticates against Enterprise Active Directory using Ping Fed for Apigee deployment (claim) , if not then in the documentation I had seen we need to configure SAML Login/Authenticate URLs

https://docs.apigee.com/api-platform/system-administration/enabling-saml-authentication-edge

3.How is acurl and get_tokenutility, different from SAML authentication or internally all are using same Oauth2/SAML

4.What would be the generated token expiry time?

5.What would be Expiry time of machine user password?

ssvaidyanathan

@venu.july30

Please confirm whether Oauth/SAML tokens will be authenticated and validated at APIGEE Edge(SP) or with external identity provider?

Yes - the machine user will authenticate against Apigee's token endpoint for which you will get a token.When you use that token to call the MGmt API, Apigee will verify it against Apigee's token store (auth server)

Can we validate Machine users authenticates against Enterprise Active Directory using Ping Fed for Apigee deployment (claim) , if not then in the documentation I had seen we need to configure SAML Login/Authenticate URLs

Machine user is created in Apigee's user store (always) but completely managed by you using the zoneadmin role. If you would like to use a generic user from Ping then you can generate the token outside and then pass that token to your pipeline to deploy the code. Just like how you would do for a human user

How is acurl and get_token utility, different from SAML authentication or internally all are using same Oauth2/SAML

Yes - they are. They hit the OAuth endpoint of Apigee and then generate a token. For a human user, you will need to login to get a passcode (on your browser) and then pass that to the utility to generate a token.

What would be the generated token expiry time?

I believe its 12 hours for the access token and 30 days for the refresh token. You can generate the token and then decode the JWT (using jwt.io) to see the iat and exp in the access token and refresh token JWT payload

What would be Expiry time of machine user password?

I believe its the same as human user

View solution in original post

ssvaidyanathan

@venu.july30

Please confirm whether Oauth/SAML tokens will be authenticated and validated at APIGEE Edge(SP) or with external identity provider?

Yes - the machine user will authenticate against Apigee's token endpoint for which you will get a token.When you use that token to call the MGmt API, Apigee will verify it against Apigee's token store (auth server)

Can we validate Machine users authenticates against Enterprise Active Directory using Ping Fed for Apigee deployment (claim) , if not then in the documentation I had seen we need to configure SAML Login/Authenticate URLs

Machine user is created in Apigee's user store (always) but completely managed by you using the zoneadmin role. If you would like to use a generic user from Ping then you can generate the token outside and then pass that token to your pipeline to deploy the code. Just like how you would do for a human user

How is acurl and get_token utility, different from SAML authentication or internally all are using same Oauth2/SAML

Yes - they are. They hit the OAuth endpoint of Apigee and then generate a token. For a human user, you will need to login to get a passcode (on your browser) and then pass that to the utility to generate a token.

What would be the generated token expiry time?

I believe its 12 hours for the access token and 30 days for the refresh token. You can generate the token and then decode the JWT (using jwt.io) to see the iat and exp in the access token and refresh token JWT payload

What would be Expiry time of machine user password?

I believe its the same as human user

ssvaidyanathan

Checkout the video on https://docs.apigee.com/api-platform/system-administration/automating-tasks

venujuly30

[Venu]: Here are my understanding creating human ID instead of machine ID to call the APIGEE MGMT API for proxy deployment

1. When we create the user outside of the APIGEE, I am sure we need to bring them into APIGEE openLDAP and assign the respective operational role to perform proxy deployment ,etc.

2. We have use token generate API by calling above credentials via APIGEE to external IDP token endpoint by using credentials as grant_type="password"

I am clear on 1 &2 steps. but how the token validation is taken place? is it performed at APIGEE or we need to make a call to external IDP for token validation?

If the token validation is taken place at Apigee, do we need to get the public key from IDP and validate JWT/Access token? or do to need to make another api call to validate at external IDP?

Can you correct me if my understanding was wrong

Thanks,

Venu

ssvaidyanathan

The token is generated by Apigee not your IDP. In the human user flow, you login to the Apigee UI with SSO and get a passcode. Which means Apigee is informed by your IDP about the valid authentication. Now using the passcode, you can generate the Apigee token and make Management API call. Since the token is minted by Apigee, Apigee can verify it as well when you invoke any Management API call

venujuly30

Thank you Sai!

The very fist call get the passcode, then followed by token generation , refresh token flows right.

ssvaidyanathan

yes - to get the passcode you authenticate against your IDP that validates your credentials. And then apigee uses that passcode to mint a token which will be used by Apigee to verify and invoke Mgmt API.

If this has answered your questions, appreciate if you can mark this as "Accept"

venujuly30

Thank you Sai!

ssvaidyanathan

If this has answered all your questions, can you please click the "Accept" link

CICD pipeline Proxy deployment by using Oauth token(external IDP)