Solved: Is there any way to configure requests coming from...

songz · 09-24-2021 05:08 AM

Hi everyone,

I was searching but couldn't find any related information. Is there any way to figure out that requests coming to the proxy are coming from one user or multiple users? For example, I have one public API key and I have received 10 requests. I want to know if those 10 requests are triggered by 1 person as sending 10 requests or 10 people as sending 1 request.

Thank you for your help.

dchiesa1

Ah ok

Have you considered using a Signin widget for the users that supports (Google, Github, etc) that accepts OpenID Connect? and then have the app send to the Apigee proxy the authenticated ID token?

Or if that is impractical, maybe consider provisioning one API key per user? Normally the Apigee-provisioned API Key corresponds to an App, not a user. But if you stretch the concept a bit, you could apply the API Key to a user.

View solution in original post

dchiesa1

Well sure, there's a way to do it. But you'd need to examine the API requests coming in, to find something that distinguishes requests by user. Apigee itself can't do that , alone. If the user is "logged in", or authenticated, then the thing that distinguishes requests is the token or credential the user sends in. If the user is not authenticated, then ... .. not really. you could try to use a device fingerprint, but. ... that seems not likely to succeed.

What are you really trying to do?

From time to time I get an oddball question like this, and the thought I always get is: what sort of API Management problem are you confronting, that requires you to solve this particular technical problem? Maybe you could explain a little more?

songz

For the API key that I have offered for free for now, I may try to contact people who are abusing to use of the API key too much, or I may want to get them/offer to premium users. If I were to give an example, I can give the trial products in the markets, if the same person comes and uses the trial products all the time, the market will no longer want to give the trial product to that person. My aim is that I do not want the API key, which I offer free of charge, almost the same as the market example here, to be used unlimitedly by the same single person.

I hope I explained myself. I thought about tracing the IP of a user but I guess that is insufficient if the user uses a VPN.

dchiesa1

Ah ok

Have you considered using a Signin widget for the users that supports (Google, Github, etc) that accepts OpenID Connect? and then have the app send to the Apigee proxy the authenticated ID token?

Or if that is impractical, maybe consider provisioning one API key per user? Normally the Apigee-provisioned API Key corresponds to an App, not a user. But if you stretch the concept a bit, you could apply the API Key to a user.

Is there any way to configure requests coming from one user or multiple user?