Re: How to implement both Oauth & apikeyverify pol...

rsnvinesh · 11-30-2022 06:51 AM

How to implement both Oauth & apikeyverify policy in Apigee ?

I have a requirement to implement both Oauth & apikeyverification policy . in request we might get only client creds for oauth or only apikey . In this case if Oauth is success then apikeyvery policy should not be triggered and vice versa .

any suggestions ?

ganadurai

The VerifyApiKey policy needs the location of the key specified (in Header or in Query-param). So you will need a condition check for the existence of the the key variable based on your implementation (where you want the client to send in the apikey). If the condition resolves to true the VerifyApiKey policy will be executed and for OAuth you will have the VerifyAccessToken policy, for this Step you will have the condition that is negation of the condition used in the VerifyApiKey policy.

Example: Lets assume you need the apikey to be send in the query param "apikey". So in the PreFlow you will have the VerifyApiKey and VerifyAccessToken policies as below.

<PreFlow name="PreFlow">
<Request>
<Step>
<Name>Verify-API-Key</Name>
<Condition>request.queryparam.apikey != null</Condition>
</Step>
<Step>
<Name>Verify-Access-Token</Name>
<Condition>request.queryparam.apikey == null</Condition>
</Step>
</Request>
</PreFlow>

Hope this helps.
Thanks.

ganadurai

Post execution of the VerifyApiKey policy flow variables are set. So in the Step for VerifyAccessToken policy condition check for the existence of the flow variables can be used to skip the execution of this policy.

Thanks.