Hello,
Need help to configure a secure validation between Google Apigee Edge and SonarQube endpoint. What policy do we need to set on the Apigee proxy endpoint and target endpoint to ensure sonarQube token is authenticated and validated before executing the sonar task? SonarQube application generates the token for scanning - https://docs.sonarsource.com/sonarqube/latest/extension-guide/web-api/
Passthrough from pipeline to google apigee to sonarQube works fine but is there any policy that we can set to ensure token is validated before invoking the target.
I am not sure what problem you are hoping to solve here.
It sounds like you want to use Apigee to act as a facade in front of the SonarQube API.
What policy do we need to set on the Apigee proxy endpoint and target endpoint to ensure sonarQube token is authenticated and validated before executing the sonar task?
Why would you want to do that? Why not let SonarQube validate the token? If I am understanding correctly, only SonarQube will know if the token is valid. So why not let SonarQube do that validation? Apigee doesn't have the right information to validate a token that is good for a 3rd party.
What negative consequence occurs if Apigee does not validate the token for sonarqube?
Thanks for the response! I agree that sonarqube will only know if the token is valid for the users and cannot be handled through apigee. We wanted to have some level of validation when proxying through apigee just to ensure that the request is coming from allowed source. Is there anyway we can do header or body validation? IP whitelisting is not the valid option here as the IPs are dynamic.
We wanted to have some level of validation when proxying through apigee just to ensure that the request is coming from allowed source.
Yes! That makes sense. I think