This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Is it possible to limit the amount of access tokens an app can generate?

Posted on 08-22-2017 05:14 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Like the title, I would like to know if it is possible to limit the amount of access tokens an app can generate?

1 1 760
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Yes, it is possible.

One way to do this is to enforce a quota on the token-issuance endpoint. For the identifier of the Quota policy , use the client id. (Or even just the base64 blob containing client id and secret)

Let's look at a working flow in Apigee Edge that can be used to generate access tokens for client_credentials (the simplest case):

<Flow name='OAuth2.0 token dispenser'>
  <Description>dispense tokens for OAuth2.0, for Client credentials</Description>
  <!--
      An example request is like this:


      curl -i -X POST -H 'content-type: application/x-www-form-urlencoded' \
        -u ${client_id}:${client_secret} \
        'https://ORG-ENV.apigee.net/v1/oauth2-pwd-cc/token'\
        -d 'grant_type=client_credentials'


      The resulting token will have an expiry. 


  -->
  <Request>
    <Step>
      <!-- basic validation of the inbound request. Is it well formed? -->
      <Name>RF-InvalidGrantType</Name>
      <Condition>(request.formparam.grant_type != "client_credentials"</Condition>
    </Step>
    <Step>
      <!-- this policy returns a payload immediately -->
      <Name>OAuthV2-GenerateAccessToken-CC</Name>
    </Step>
  </Request>


  <Response/>


  <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "POST")</Condition>
</Flow>

If you want to restrict the issuance of new tokens, you can insert a Quota policy just before the OAuthV2-GenerateAccessToken .

It might be configured like this: 

<Quota name="Quota-1" type="calendar">
    <Allow count="10"/>
    <Interval>1</Interval>
    <TimeUnit>minute</TimeUnit>
    <Identifier ref="request.header.authorization"/>
    <Distributed>true</Distributed>
    <Synchronous>false</Synchronous>
</Quota>

And the flow would look like: 

<Flow name='OAuth2.0 token dispenser'>
  <Description>dispense tokens for OAuth2.0, for Client credentials</Description>
  <Request>
    <Step>
      <Name>RF-InvalidGrantType</Name>
      <Condition>(request.formparam.grant_type != "client_credentials"</Condition>
    </Step>
    <Step>
       <Name>Quota-1</Name>
    </Step>
    <Step>
      <!-- this policy returns a payload immediately -->
      <Name>OAuthV2-GenerateAccessToken-CC</Name>
    </Step>
  </Request>

  <Response/>

  <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "POST")</Condition>
</Flow>

If this is not clear, let me know and I can explain in further detail.