This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Is there way to consumer api proxy with registering to a Dev App

Posted on 06-01-2023 02:06 AM
nikhildflow
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I have a requirement to know if there is way of accessing a api proxy but without it being added to product/App.

But still needs some kind of authentication (like Basic Auth? or some external auth)

Is there a possibility to do it
If yes, can somebody pls help

0 1 79
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Sure, you can expose API proxies without including them in an API Product.

What good is an API Product? The API Product provides you the ability to do the Product authorization check - with VerifyAPIKey, or OAuthV2/VerifyAccessToken.  The Apigee policy will then check if the provided key, or token, is good for the given API proxy. It does this by checking

  • is this a known-good token or key?  Known-good means, issued by Apigee and not expired, etc.
  • if so, what is the list of API Products (usually there is just 1) for which that key or token is valid?
  • And do any of the API products in the list include the currently executing API Proxy?
  • if the answers are YES all the way through that logic, then the key or token is good and execution can proceed.
  • If any of the answers are NO, then the key or token is rejected as unauthorized.

OK, now imagine trying to check a key or token in a system that did not use the API product concept.  The system could check for a known-good token or key.  and then what? Any token can execute any API?  I mean it's sort of limited, isn't it? 

You can "roll your own" authorization checks in Apigee of course. For example, if you don't want to include APIKey or OauthV2 token authorization in your API Proxies, if you just wanted to perform username/password checking (HTTP Basic auth), then you could design your API proxy to: 

  • retrieve the HTTP Basic Authorization header
  • decode it and extract the username + password
  • check that username and password against a known list
  • if the user is valid and the password is good, verify that THIS particular request is authorized.

All that is possible, but ... the last two steps are something you'd have to custom code. Where do you keep the "known list" of users, and how do you check them?  How do you check that the user is authorized to invoke the currently executing proxy?  These are not _difficult_ technical challenges, but they both are things you would need to implement yourself. There's no "API Product" concept here to help you.  (You'd be "rolling your own" API product essentially).

The other thing you miss by not exploiting the built-in API Product concept is API Product analytics. 

OK that's all I have to say about that. I hope this information helps you.

0 Likes
Top Solution Authors
View all