Like the title, I would like to know if it is possible to limit the amount of access tokens an app can generate?
Yes, it is possible.
One way to do this is to enforce a quota on the token-issuance endpoint. For the identifier of the Quota policy , use the client id. (Or even just the base64 blob containing client id and secret)
Let's look at a working flow in Apigee Edge that can be used to generate access tokens for client_credentials (the simplest case):
<Flow name='OAuth2.0 token dispenser'> <Description>dispense tokens for OAuth2.0, for Client credentials</Description> <!-- An example request is like this: curl -i -X POST -H 'content-type: application/x-www-form-urlencoded' \ -u ${client_id}:${client_secret} \ 'https://ORG-ENV.apigee.net/v1/oauth2-pwd-cc/token'\ -d 'grant_type=client_credentials' The resulting token will have an expiry. --> <Request> <Step> <!-- basic validation of the inbound request. Is it well formed? --> <Name>RF-InvalidGrantType</Name> <Condition>(request.formparam.grant_type != "client_credentials"</Condition> </Step> <Step> <!-- this policy returns a payload immediately --> <Name>OAuthV2-GenerateAccessToken-CC</Name> </Step> </Request> <Response/> <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "POST")</Condition> </Flow>
If you want to restrict the issuance of new tokens, you can insert a Quota policy just before the OAuthV2-GenerateAccessToken .
It might be configured like this:
<Quota name="Quota-1" type="calendar"> <Allow count="10"/> <Interval>1</Interval> <TimeUnit>minute</TimeUnit> <Identifier ref="request.header.authorization"/> <Distributed>true</Distributed> <Synchronous>false</Synchronous> </Quota>
And the flow would look like:
<Flow name='OAuth2.0 token dispenser'> <Description>dispense tokens for OAuth2.0, for Client credentials</Description> <Request> <Step> <Name>RF-InvalidGrantType</Name> <Condition>(request.formparam.grant_type != "client_credentials"</Condition> </Step> <Step> <Name>Quota-1</Name> </Step> <Step> <!-- this policy returns a payload immediately --> <Name>OAuthV2-GenerateAccessToken-CC</Name> </Step> </Request> <Response/> <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "POST")</Condition> </Flow>
If this is not clear, let me know and I can explain in further detail.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |