This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Retrieve token info by custom attributes

Posted on 11-03-2021 07:00 AM
christof1
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

I have a proxy which provides Oauth2 tokens:

- an app asks for an Oauth2 token from my proxy 

- the proxy puts some functional information in the token (via custom attributes) and returns it (access token + refresh token + validity time) to te app for future usage

- the users behind the app which consumes my proxy are identified by a number (let's say customer_ID) that I put in the token in the custom attribute named "customer_ID"

I have to implement a rule that limits the number of active tokens for end users:

- for a customer_ID in the request, before giving it a token, check that it does not have more than X active tokens (X is a limit that comes from an external application).

Tokens I generate know this information (customer_ID via custom attributes) but I can't correlate token each others.

I initially thought that I could search for all (active) tokens whith the same custom attribute (customer_ID) but it seems not possible.

Do you have any idea to implement this rule? Example: manage a counter by customer_ID somewhere in apigee?

 

Thanks very much for your help,

Regards

0 2 91
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I don't know a way to enforce a limit on the number of active tokens.  

a posisble workaround: You could insert a ratelimit in front of the token dispensary, using the client ID as the Identifier.  (or customer ID, if you like) 

This is not the same as what you described - it limits the number of calls to the /token endpoint by client ID or customer ID, but it does not limit the number of active tokens. Still, it may be "good enough" for your purposes.

It works even if the limit of X is sourced from an external application.  You'd need to get that via a servicecallout or something similar, prior to invoking the Quota policy. 

0 Likes

Posted on --/--/---- --:-- AM
christof1
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

Thank you for this answer.

I found a link that explains how to search for tokens by end user ID: https://docs.apigee.com/api-platform/security/oauth/enable-retrieval-and-revocation-oauth-20-access-...

I understand that I could then get all tokens for a end user then count all that are active

The performance topic could be a problem (number of tokens).

A second attention point is the Apigee management API calls by proxys (network, management server availibility).

What about this way ?

Thanks,

Regards

0 Likes