Resource API is accessible without access token th...

Report Inappropriate Content · 01-25-2016 03:13 PM

I have hooked up my API with Apigee edge and also enrolled for OAuth policy for my ArtApi in test environment. I am still able to view the response for the given below url though OAuth is enabled and no access token provided. http://artapi-test.apigee.net/v2/Products/PG95W0CF5Y

API:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <APIProxy revision="1" name="apiart"> <ConfigurationVersion majorVersion="4" minorVersion="0"/> <CreatedAt>1453502801115</CreatedAt> <CreatedBy>rks_sagar@yahoo.com</CreatedBy> <Description>ART API for V2 version</Description> <DisplayName>apiart</DisplayName> <LastModifiedAt>1453757911703</LastModifiedAt> <LastModifiedBy>rks_sagar@yahoo.com</LastModifiedBy> <Policies> <Policy>ValidateOAuth</Policy> </Policies> <ProxyEndpoints> <ProxyEndpoint>default</ProxyEndpoint> </ProxyEndpoints> <Resources/> <TargetServers/> <TargetEndpoints> <TargetEndpoint>default</TargetEndpoint> </TargetEndpoints> <validate>false</validate> </APIProxy>

OAuth policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <OAuthV2 async="false" continueOnError="false" enabled="true" name="ValidateOAuth"> <DisplayName>ValidateOAuth</DisplayName> <Properties/> <Attributes/> <ExternalAuthorization>false</ExternalAuthorization> <Operation>VerifyAccessToken</Operation> <SupportedGrantTypes/> <Tokens/> </OAuthV2>

willwitman

Hi @Sagar Mummidivarapu,

The OAuth policy will execute if it's attached to a flow that also gets executed. For example, the Proxy Endpoint Preflow is always guaranteed to execute, and is a good place to put the policy. It could be you've attached the policy to a conditional flow that isn't getting called. Where have you attached your OAuthV2 policy? What do you see when you trace the API call? Could you post any additional clues (maybe the ProxyEndpoint XML) to help troubleshoot?

Regards,

Will

Report Inappropriate Content

I see Attached to flow ALL. I have no conditional flow at all. I see original response when API call is triggered.

API call:

http://artapi-test.apigee.net/v2/Products/PG95W0CF5Y

Here is the proxy endpoint xml.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ProxyEndpoint name="default"> <Description/> <PreFlow name="PreFlow"> <Request/> <Response/> </PreFlow> <Flows> <Flow name="Authorize"> <Description/> <Request> <Step> <Name>ValidateOAuth</Name> </Step> </Request> <Response/> <Condition>proxy.pathsuffix MatchesPath "/products"</Condition> </Flow> </Flows> <PostFlow name="PostFlow"> <Request/> <Response/> </PostFlow> <HTTPProxyConnection> <BasePath/> <VirtualHost>default</VirtualHost> <VirtualHost>secure</VirtualHost> </HTTPProxyConnection> <RouteRule name="default"> <TargetEndpoint>default</TargetEndpoint> </RouteRule> </ProxyEndpoint>

Report Inappropriate Content

I figured it out. somehow my condition is wrong though I have given what is there in documentation. proxy.pathsuffix MatchesPath "/products" Not sure why this is not matching though my url is having products.

willwitman

@Sagar Mummidivarapu -- It looks like the operator MatchesPath is case sensitive, so that's why your URL with /Products fails. You can try using a case insensitive operator like this :~ instead of MatchesPath -- I tried it and it worked. I filed a doc issue to update the docs, which are unclear with respect forming case insensitive conditionals.

Another thought is that /Products is actually part of the proxy basepath, not the path suffix. If that's the case, then the match would fail, and you'd need something like this: MatchesPath /{product_id} to match your path.

Resource API is accessible without access token though OAuth policy is integrated.