Re: Finding Developers in JavaScript Policy

Report Inappropriate Content · 04-22-2015 01:44 PM

We are migrating our users to Apigee-fronted endpoints. In the current version of the API, the clients use Basic Authorization with a username:password. We want to continue allowing this authentication method, but we also want to have an OAuth token, AND still be able to track metrics via both methods. For example, we want clients using Basic to be tracked under their Apigee Developer App just like if they used the OAuth token approach.

For clients using OAuth tokens, we are adding custom variables to their Developer record with their old-style username and password, and then converting the request to Basic Auth before it's sent to the backend.

But for old-style authentication users, I want to also do the reverse, basically get their Developer App Key by looking for their username in the custom variables of developer apps (there aren't that many to look through).

Is this possible? Is it possible in a proxy / javascript file to get a list of the developer apps in an org and then page through them? I don't want t use service callouts to the Apigee APIs for this.

Alternatively, I could change the developer keys to be their username, and then just use Verify API Key policy with the decoded Basic username, but it's not my favorite solution for a variety of future-proofing reasons.

Thx!

ceber

Is this possible? Yes.... Is it possible in a proxy to get a list of the developer apps without calling the management APIs? I don't think there's a way to do that. But maybe you don't need to do that. You say there aren't that many to look through - would the key-value map be an acceptable solution? http://apigee.com/docs/api-services/reference/key-value-map-operations-policy

Report Inappropriate Content

Thanks, that's kinda what I figured. I haven't played with the Key-Value Maps too much, and can explore that. For now I may have to go with swapping the Apigee-generated key&secret with our username&password, so they can use the same creds to get a token or use Basic Auth.

ceber

Might be a nice way to go. This is one of those things that probably has half-a-dozen solutions. You could move the custom variables into just the key-value store so there's only one spot, or if the credentials really are credentials and you want to secure them better use the vault, or modify the client_id & secret as you say, etc. When you settle on a solution you like would you share? I'd like to know what you decide to do.

adas

@jeofoyster The suggested approach should work but keep in mind that you would not get analytics on developer apps, developers, keys etc. if you were to use the key-value map approach. As far as the proxy runtime behaviour is concerned, that should work fine.