Solved: How to call Apigee management API | Hybrid

dpatty · 01-21-2022 04:50 AM

Hi ,

Could anyone please share any good documentation with authentication steps to call Apigee Hybrid management API .

I have a a service account key . Looking for following .

Create JWT - with example

Create OAuth token using JWT - with example

Pass OAuth token to edge API

Best Regards,

Patty

dchiesa1

1- Can we pass the JWT it self as bearer token or we have to call oauth2 token endpoint to get access token

No, the self-signed JWT is not a bearer token. Maybe this is a helpful way to think about it: the JWT is an alternative to "client credentials" in an OAuth grant. You send the JWT to the oauth token dispensing endpoint (this is described in RFC 7523), instead of "normal" (RFC 6749) client credentials, which is just a Basic Auth header encoding the consumer ID and Secret. What you get back from Google's oauth endpoint, is an opaque access token. You need to use the opaque access token as a bearer token when sending in requests to the API endpoint apigee.googleapis.com .

For more information on using self-signed JWT to get access tokens, please see this older discussion.

2 - What should be the scope while generating JWT . we need admin role for operation activity .

The scope should be https://www.googleapis.com/auth/cloud-platform . Then rely on the ROLES attached to the service account do restrict access. A role might be Apigee Organization Admin (roles/apigee.admin) . or some more restricted role, like Apigee API Admin (roles/apigee.apiAdminV2) or Apigee API Reader (roles/apigee.apiReaderV2). Or some custom role that you define. Find the list of "built in" Apigee roles and their associated permissions here: https://cloud.google.com/iam/docs/understanding-roles#apigee-roles

BTW, to find that "cloud-platform" scope value, I just looked in the discovery document for the Apigee API. There really is just one scope for Apigee. For some APIs, there are different scopes supported, for restricting the token to be usable for narrower operations than the roles on the account allow. But Apigee doesn't use scopes for that purpose.

Any reference API (Library) to generate JWT and get access token?

The documentation for the Apigee APIs says

To call this service, we recommend that you use the Google-provided client libraries.

If that's not suitable, then, you can google around for other options. (Example1 for bash) What language are you using? Here's an example for Java.

View solution in original post

dchiesa1

Hey,

it sounds like you have a variety of desires. I'll try to help.

any good documentation with authentication steps to call Apigee Hybrid management API .

Some documentation links.

Getting started with the Apigee API - The Apigee API is what you use to perform "administrative operations" on Apigee. Things like, importing proxies, exporting proxies, creating or querying API products, modifying quotas on API products, exporting analytics reports, and so on. This API is what is behind the Apigee management UI. This document describes more details, including how to get started.
Apigee API Reference - this is the reference documentation for the Apigee API. This is a REST API, and the endpoint is https://apigee.googleapis.com
Authentication to Google Cloud APIs - The Apigee API is just one of a large variety of APIs exposed by Google cloud. There are APIs for managing and configuring Apigee, as well as BigQuery, Cloud Storage, Cloud networking, Logging, pubsub, and so on. All of them use the same authentication model and mechanism: OAuth2. The common grant types are authorization_code and jwt-bearer (which is sort of a replacement of client credentials). Details on how to do these things are at the link I referenced here. You can get an appropriate oauth token using the gcloud command line tool. If you don't wish to use that, you can do the equivalent in a program; I recently provided a description of how to do that in a community post, find it here.

Create JWT - with example

Create OAuth token using JWT - with example

I think here you are referring to getting an OAuth token using a service account key and the jwt-bearer grant type. Here is a good gist for doing that from bash. You can also get an access_token based on a service account credentials file, with the gcloud command line tool. The magic invocation is:

$ export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-credentials-file.json 
$ gcloud auth application-default print-access-token

Pass OAuth token to edge API

The resulting token is just a Bearer token. So you would pass it in the Authorization header, with a Bearer prefix, according to the standard OAuth recommendations.

dpatty

Hi Dino ,

Thank you for the detail reply . I would be more precise on the use case . Requesting your insight on below .

Here is the use case :

I have received service account key . Using service account key generated token using gcloud console . Passed this token as bearer token to call management API from the post man . This worked perfectly fine .

Now I have to make this working programmatically from the client code which is running out side GCP . I randomly searched few blogs how to do it but not clear . Could you please help me how to achieve this programmatically .

Adding to this couple more question :

1- Can we pass the JWT it self as bearer token or we have to call ouath2 token endpoint to get access token

2 - What should be the scope while generating JWT . we need admin role for operation activity . Any reference API (Library) to generate JWT and get access token

Best Regards,

Patty

dchiesa1

1- Can we pass the JWT it self as bearer token or we have to call oauth2 token endpoint to get access token

No, the self-signed JWT is not a bearer token. Maybe this is a helpful way to think about it: the JWT is an alternative to "client credentials" in an OAuth grant. You send the JWT to the oauth token dispensing endpoint (this is described in RFC 7523), instead of "normal" (RFC 6749) client credentials, which is just a Basic Auth header encoding the consumer ID and Secret. What you get back from Google's oauth endpoint, is an opaque access token. You need to use the opaque access token as a bearer token when sending in requests to the API endpoint apigee.googleapis.com .

For more information on using self-signed JWT to get access tokens, please see this older discussion.

2 - What should be the scope while generating JWT . we need admin role for operation activity .

The scope should be https://www.googleapis.com/auth/cloud-platform . Then rely on the ROLES attached to the service account do restrict access. A role might be Apigee Organization Admin (roles/apigee.admin) . or some more restricted role, like Apigee API Admin (roles/apigee.apiAdminV2) or Apigee API Reader (roles/apigee.apiReaderV2). Or some custom role that you define. Find the list of "built in" Apigee roles and their associated permissions here: https://cloud.google.com/iam/docs/understanding-roles#apigee-roles

BTW, to find that "cloud-platform" scope value, I just looked in the discovery document for the Apigee API. There really is just one scope for Apigee. For some APIs, there are different scopes supported, for restricting the token to be usable for narrower operations than the roles on the account allow. But Apigee doesn't use scopes for that purpose.

Any reference API (Library) to generate JWT and get access token?

The documentation for the Apigee APIs says

To call this service, we recommend that you use the Google-provided client libraries.

If that's not suitable, then, you can google around for other options. (Example1 for bash) What language are you using? Here's an example for Java.