I am not able to restrict developer apps from accessing my APIs. Please help.
My product setup:
Resources
Resource Path
/customers/*
API Proxy
DemoProxy
Developer Apps
MyApp
Now I am using the client_id and client_secret for MyApp (from the Developer App Details page) to access the following URLs:
From my understanding, the current setup that I have should have allowed MyApp to only access #2 above. But in my case I am able to access all the 3.
Note: I do have verify API key enabled on DemoProxy.
What am I missing here?
I tried your scenario and it worked for me. I have access only to #2 and gives the following error for #1 and #3
{ "fault": { "faultstring": "Invalid ApiKey for given resource", "detail": { "errorcode": "oauth.v2.InvalidApiKeyForGivenResource" } } }
Attached are the screenshots for product configuration and all 3 results.
screen-shot-2017-12-02-at-13447-pm.png
screen-shot-2017-12-02-at-13736-pm.png
screen-shot-2017-12-02-at-13754-pm.png
screen-shot-2017-12-02-at-13816-pm.png
I created a sample proxy with the basepath '/v1/demoproxy' and setup the resource path as '/customers/*' in the API Product similar to as described by you.
I made the API calls as per your example and found that I got successful response only for the following paths:
/v1/demoproxy/customers/123 /v1/demoproxy/customers/123/
I got 401 Unauthorized error for the following paths:
/v1/demoproxy/customers /v1/demoproxy/customers/ /v1/demoproxy/customers/123/accounts
This is the expected behaviour. Please refer this doc for more information on the behaviour of APIs based on the resource path set to '/', '/*', or '/**'.
Considering that you are seeing a different behaviour, I suspect there must be some difference in the settings or the way the API calls are made. Can you please recheck the paths used at your end ? If you still have any issues, please share the trace file or org and API proxy names. I can investigate the issue and get back to you.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |