You tell Apigee what you want to do with inbound requests, by "attaching policies" to different "flows" in the API proxy.
One class of policies is "Authentication". and that would include policies like "VerifyAPIKey" and "OAuthV2/VerifyAccessToken". A typical way to apply authentication to an API proxy is to attach one of those policies to a flow such that it runs for ALL inbound requests. In a proxy endpoint, this would look like this:
<ProxyEndpoint name="endpoint1">
....
<PreFlow name="PreFlow">
<Request>
<!-- this policy will execute for all inbound requests -->
<Step>
<Name>VerifyAPIKey</Name>
</Step>
</Request>
<Response/>
</PreFlow>
<PostFlow name="PostFlow">
<Request/>
<Response/>
</PostFlow>
<Flows>
<Flow name='t1'>
<Request/>
<Response/>
<Condition>proxy.pathsuffix MatchesPath "/t1" and request.verb = "GET"</Condition>
</Flow>
<Flow name='t2'>
<Request/>
<Response/>
<Condition>proxy.pathsuffix MatchesPath "/t2" and request.verb = "POST"</Condition>
</Flow>
<Flow name='unknown request'>
<Request>
<Step>
<Name>RF-Unknown-Request</Name>
</Step>
</Request>
<Response/>
</Flow>
</Flows>
...
If you would like to allow SOME requests without authentication, and SOME without, then you can attach the policy to some of the conditional flows. like so:
<ProxyEndpoint name="endpoint1">
....
<PreFlow name="PreFlow">
<Request/>
<Response/>
</PreFlow>
<PostFlow name="PostFlow">
<Request/>
<Response/>
</PostFlow>
<Flows>
<Flow name='t1'>
<Request>
<!-- this policy will execute only for this flow -->
<Step>
<Name>VerifyAPIKey</Name>
</Step>
</Request>
<Response/>
<Condition>proxy.pathsuffix MatchesPath "/t1" and request.verb = "GET"</Condition>
</Flow>
<Flow name='t2'>
<Request/> <!-- no check of API key here -->
<Response/>
<Condition>proxy.pathsuffix MatchesPath "/t2" and request.verb = "POST"</Condition>
</Flow>
<Flow name='unknown request'>
<Request>
<Step>
<Name>RF-Unknown-Request</Name>
</Step>
</Request>
<Response/>
</Flow>
</Flows>
...
Does this help?
LinkedIn
Twitter
