I configured the edgemicro and configured my API product and Developer App. I am also able to generate my access token.
$ ./node_modules/edgemicro/cli/edgemicro token get -o *** -e prod -i *** -s *** current nodejs version is v5.0.0 current edgemicro version is 2.4.6 { token: 'eyJhbGciOiJSUzI1NiJ9.eyJhcGlfcHJvZHVjdF9saXN0IjpbIkVkZ2VNaWNyb1Rlc3RQcm9kdWN0Il0sImF1ZGllbmNlIjoibWljcm9nYXRld2F5IiwianRpIjoiMjQ2MTQ4YTUtZDI2Yy00M2Q2LTk0YzAtNDM0MTY3ZDNlYzc2IiwiaXNzIjoiaHR0cHM6Ly9naXJpc2hnYWpyaWEtcHJvZC5hcGlnZWUubmV0L2VkZ2VtaWNyby1hdXRoL3Rva2VuIiwiYWNjZXNzX3Rva2VuIjoiU0VDQW1xblBmY0xOb3NKT0p2Wkc0NzNFcjMwaSIsImNsaWVudF9pZCI6IndyUUNRcTlvZERJZVdzRmtKTnFJTTVOcXJvSWtGUXlaIiwibmJmIjoxNDk3NTkyMzA2LCJpYXQiOjE0OTc1OTIzMDYsImFwcGxpY2F0aW9uX25hbWUiOiJiYjQ1MjI0Yy05MTk2LTRmY2EtODM5Ny1jNmVjNjJhYTkxN2QiLCJzY29wZXMiOlsiIl0sImV4cCI6MTQ5NzU5MjYwNn0.SiQUV_1IT0zvEsDmq8UcIzbTfuwc6UIxcuZpz7tSVijEOSmKjOb4h6D1LiJzBtmJkbEU3I7S5l92K0bYpVPDcklr_h2qnWquka4l88s0O704xNuuCtt0vHuySL_an1QUzAAirR8iBS5lXF62qhCro8Id_AEw7rNbOiO6rPiUKRwGs7yeHYBHfU5Z-eCkymOC6LMTHHKA2NLU5M47ViCujbxXNQlWAYkPhSw7WvUTn2HNj4YT2gVrzHbYttHqWMNWtpF3ZiDlbdbzRoNG067iwraJQNdy0cdstI134lwatx5fI4D3BYpsOswaW7cqpHKFYQ4XV06LOxmXuBZXCPFgkQ' }
When I try to use this token immediately, I get the below error:
$ curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJhcGlfcHJvZHVjdF9saXN0IjpbIkVkZ2VNaWNyb1Rlc3RQcm9kdWN0Il0sImF1ZGllbmNlIjoibWljcm9nYXRld2F5IiwianRpIjoiMjQ2MTQ4YTUtZDI2Yy00M2Q2LTk0YzAtNDM0MTY3ZDNlYzc2IiwiaXNzIjoiaHR0cHM6Ly9naXJpc2hnYWpyaWEtcHJvZC5hcGlnZWUubmV0L2VkZ2VtaWNyby1hdXRoL3Rva2VuIiwiYWNjZXNzX3Rva2VuIjoiU0VDQW1xblBmY0xOb3NKT0p2Wkc0NzNFcjMwaSIsImNsaWVudF9pZCI6IndyUUNRcTlvZERJZVdzRmtKTnFJTTVOcXJvSWtGUXlaIiwibmJmIjoxNDk3NTkyMzA2LCJpYXQiOjE0OTc1OTIzMDYsImFwcGxpY2F0aW9uX25hbWUiOiJiYjQ1MjI0Yy05MTk2LTRmY2EtODM5Ny1jNmVjNjJhYTkxN2QiLCJzY29wZXMiOlsiIl0sImV4cCI6MTQ5NzU5MjYwNn0.SiQUV_1IT0zvEsDmq8UcIzbTfuwc6UIxcuZpz7tSVijEOSmKjOb4h6D1LiJzBtmJkbEU3I7S5l92K0bYpVPDcklr_h2qnWquka4l88s0O704xNuuCtt0vHuySL_an1QUzAAirR8iBS5lXF62qhCro8Id_AEw7rNbOiO6rPiUKRwGs7yeHYBHfU5Z-eCkymOC6LMTHHKA2NLU5M47ViCujbxXNQlWAYkPhSw7WvUTn2HNj4YT2gVrzHbYttHqWMNWtpF3ZiDlbdbzRoNG067iwraJQNdy0cdstI134lwatx5fI4D3BYpsOswaW7cqpHKFYQ4XV06LOxmXuBZXCPFgkQ" -i http://localhost:8000/hello/echo % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 25 100 25 0 0 178 0 --:--:-- --:--:-- --:--:-- 201HTTP/1.1 401 Unauthorized content-type: application/json Date: Fri, 16 Jun 2017 05:51:01 GMT Connection: keep-alive Content-Length: 25 {"error":"invalid_token"}
But when I try the same token after a couple of minutes, it seems to work.
$ curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJhcGlfcHJvZHVjdF9saXN0IjpbIkVkZ2VNaWNyb1Rlc3RQcm9kdWN0Il0sImF1ZGllbmNlIjoibWljcm9nYXRld2F5IiwianRpIjoiMjQ2MTQ4YTUtZDI2Yy00M2Q2LTk0YzAtNDM0MTY3ZDNlYzc2IiwiaXNzIjoiaHR0cHM6Ly9naXJpc2hnYWpyaWEtcHJvZC5hcGlnZWUubmV0L2VkZ2VtaWNyby1hdXRoL3Rva2VuIiwiYWNjZXNzX3Rva2VuIjoiU0VDQW1xblBmY0xOb3NKT0p2Wkc0NzNFcjMwaSIsImNsaWVudF9pZCI6IndyUUNRcTlvZERJZVdzRmtKTnFJTTVOcXJvSWtGUXlaIiwibmJmIjoxNDk3NTkyMzA2LCJpYXQiOjE0OTc1OTIzMDYsImFwcGxpY2F0aW9uX25hbWUiOiJiYjQ1MjI0Yy05MTk2LTRmY2EtODM5Ny1jNmVjNjJhYTkxN2QiLCJzY29wZXMiOlsiIl0sImV4cCI6MTQ5NzU5MjYwNn0.SiQUV_1IT0zvEsDmq8UcIzbTfuwc6UIxcuZpz7tSVijEOSmKjOb4h6D1LiJzBtmJkbEU3I7S5l92K0bYpVPDcklr_h2qnWquka4l88s0O704xNuuCtt0vHuySL_an1QUzAAirR8iBS5lXF62qhCro8Id_AEw7rNbOiO6rPiUKRwGs7yeHYBHfU5Z-eCkymOC6LMTHHKA2NLU5M47ViCujbxXNQlWAYkPhSw7WvUTn2HNj4YT2gVrzHbYttHqWMNWtpF3ZiDlbdbzRoNG067iwraJQNdy0cdstI134lwatx5fI4D3BYpsOswaW7cqpHKFYQ4XV06LOxmXuBZXCPFgkQ" -i http://localhost:8000/hello/echo % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 703 0 703 0 0 1024 0 --:--:-- --:--:-- --:--:-- 1047HTTP/1.1 200 OK access-control-allow-origin: * content-type: application/json; charset=utf-8 date: Fri, 16 Jun 2017 05:57:32 GMT etag: W/"2bf-EJujd42L5BmQgsq8DWlJGw" x-powered-by: Apigee x-response-time: 667 Connection: keep-alive Transfer-Encoding: chunked {"headers":{"host":"mocktarget.apigee.net","accept":"*/*","user-agent":"curl/7.45.0","via":"1.1 localhost","x-authorization-claims":"eyJhdWRpZW5jZSI6Im1pY3JvZ2F0ZXdheSIsImp0aSI6IjI0NjE0OGE1LWQyNmMtNDNkNi05NGMwLTQzNDE2N2QzZWM3NiIsImlzcyI6Imh0dHBzOi8vZ2lyaXNoZ2FqcmlhLXByb2QuYXBpZ2VlLm5ldC9lZGdlbWljcm8tYXV0aC90b2tlbiIsImFjY2Vzc190b2tlbiI6IlNFQ0FtcW5QZmNMTm9zSk9KdlpHNDczRXIzMGkiLCJuYmYiOjE0OTc1OTIzMDYsInNjb3BlcyI6WyIiXX0=","x-forwarded-host":"localhost:8000","x-request-id":"58c4bbd0-5257-11e7-82ac-1d5d6b2f5a14.832d8e50-5258-11e7-82ac-1d5d6b2f5a14","x-forwarded-for":"::1, 121.242.128.86","x-forwarded-port":"80","x-forwarded-proto":"http","connection":"keep-alive"},"method":"GET","url":"/","body":""}
Any ideas, on what is causing this delay? Is it due to my incorrect configuration? I can share my configuration files, if required. As can be surmised working off the sample provided in the docs.
Also on a related note, few more queries:
Thanks and really excited that Apigee is getting into this space. Keep up the great work.
Thanks,
Girish
Solved! Go to Solution.
@Girish Gajria, thank you, we appreciate it.
Regarding the "invalid_token" error - this only happens when the JWT verification fails. It is clear the token has not expired. My suspicion is the "nbf" claim (Not Before) in the JWT. It is possible your machine's clock is a little behind. But this is a place I would start with.
Responses to "few more queries":
Item #1: In the hybrid model, we want to strategy of centralized authoring, distributed enforcement. By defining the proxies in Edge, you are authoring them in a central location. Each distributed gateway reads the proxy configuration from the central location. In some places, like Cloud Foundry, these proxies are automatically provisioned for you when you bind route services.
Item #2: I didn't quite understand this question. The choice of exposing or not exposing microservices to the internet is yours. There are no technical restrictions one way or another.
Item #3: API Product and Developer App are necessary only if you use the OAuth plugin. If you disable the plugin, there is no need to create those entities.
@Girish Gajria, thank you, we appreciate it.
Regarding the "invalid_token" error - this only happens when the JWT verification fails. It is clear the token has not expired. My suspicion is the "nbf" claim (Not Before) in the JWT. It is possible your machine's clock is a little behind. But this is a place I would start with.
Responses to "few more queries":
Item #1: In the hybrid model, we want to strategy of centralized authoring, distributed enforcement. By defining the proxies in Edge, you are authoring them in a central location. Each distributed gateway reads the proxy configuration from the central location. In some places, like Cloud Foundry, these proxies are automatically provisioned for you when you bind route services.
Item #2: I didn't quite understand this question. The choice of exposing or not exposing microservices to the internet is yours. There are no technical restrictions one way or another.
Item #3: API Product and Developer App are necessary only if you use the OAuth plugin. If you disable the plugin, there is no need to create those entities.
Thanks @Srinandan Sridhar, my apologies for the delay in response.
I was able to confirm that your suspicion is correct. For some reason, my system clock is off by a minute hence the delay.
For Item #2, my query was, should my microservice be accessible to the Apigee Edge cloud?(since we do configure it in the edgemicro_* api proxy).
Given a scenario, I have a microservice {some-internal-system-host}/employee accessible within my intranet (not over internet), what should be the host on my edgemicro_employee proxy (it cannot be https://my-org.com/employee, since it is not accessible from the cloud).
Another follow up question:
As per docs, this should work with x-api-key header as well, but I get the below response:
$ curl -H "x-api-key: {my-api-key-goes-here}" -i http://localhost:8000/hello/echo % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 25 100 25 0 0 3 0 0:00:08 0:00:07 0:00:01 5HTTP/1.1 401 Unauthorized content-type: application/json Date: Tue, 20 Jun 2017 05:53:45 GMT Connection: keep-alive Content-Length: 25 {"error":"invalid_token"}
Any thoughts/suggestions?
Thanks Again,
Girish
re: "Should the microservice be accessible to Apigee Edge cloud" - the answer is no. The endpoint on the proxy, like you have indicated, points to some internal hostname that won't be available to the cloud. That is perfectly fine.
re: "invalid_token" - again I suspect the time stamp. Try it again, after you get an error, give it another shot in 1-2 mins.