hi folks,
I have there apps named bronze, gold, and silver and I want to apply quota in these apps like saying as the bronze app can be able to hit API only 5 times after 5 times it will not able to get a response and same for the gold app are able to hit API only 10 times after 10 times it will not able to get response and so on.
i want to perform this thing using custom attribute in app-level like create a custom attribute variable for bronze which store value 5 and somehow it will refer to quota policy
counter = 5
thanks for any suggestion or guidance.
@Denis_KALITVI please have a look
Normally you would create API Products to store the quota, then authorize the different apps on the respective products. Like this:
Product name | Quota |
Gold | 100 requests per hour |
Silver | 10 requests per hour |
Bronze | 5 requests per hour |
And then you create apps (or allow your developers to request apps) for those products.
Developer | Developer App | ...authorized for Product |
Chris | devapp1 | Bronze |
Farhan | fh-app | Gold |
Angelique | ang-app1 | Silver |
Sonia | sonia1 | Silver |
Cybil | mydevapp | Bronze |
Lephron | le-app | Gold |
In the proxy, you need to call VerifyAPIKey or VerifyAccessToken. This will explicitly validate the credential for the client app, and implicitly load in the quota setting for the authorized API Product for the app.
You can then refer to the quota settings as:
Policy | Variables |
VerifyAPIKey | verifyapikey.POLICYNAME.apiproduct.developer.quota.limit verifyapikey.POLICYNAME.apiproduct.developer.quota.interval verifyapikey.POLICYNAME.apiproduct.developer.quota.timeunit |
VerifyAccessToken | apiproduct.developer.quota.limit apiproduct.developer.quota.interval apiproduct.developer.quota.timeunit |
The required quota policy might be like this:
<Quota name='Q-1'>
<!-- use the client_id that is set after OAuthV2/VerifyAccessToken -->
<Identifier ref='client_id' />
<Allow countRef='apiproduct.developer.quota.limit'/>
<Interval ref='apiproduct.developer.quota.interval'/>
<TimeUnit ref='apiproduct.developer.quota.timeunit'/>
<Distributed>true</Distributed>
<Synchronous>false</Synchronous>
<PreciseAtSecondsLevel>false</PreciseAtSecondsLevel>
</Quota>
You can also set quota limits on an app-by-app basis. But as the number of apps grows, this approach becomes harder to manage, as compared to using metadata set on the API Product. We presume there will be 10's or 100's of apps, and ~10 API Products (or in any case, significantly fewer products) . Therefore managing the metadata in the product will be easier.
But IF YOU WISH to set quota on an individual app basis, you can do that too. Set the custom attribute on the Apps, and then refer to different variables in the Quota policy.
@dchiesa1 thanks dino for quick and pretty clear reply but my use case is different I want to apply quota at app level using custom attribute value as a counter (In quota) then hit API till quota exceeded
like in custom attributes counter = 10
then it will go to API proxy and be able to hit proxy only 10 times
It's the same as Dino described. Once you will have your custom attr on app level, you can get it after either Verify API key or OAUTH2 token validation. Once this is done, you will have access to app (via app id) custom attributes, and then you can use this attribute as
<Allow countRef='policy_with_token_custom_attr'/>
@dchiesa1 How can we acheive this if we have a third party Authentication like Pingone ?
Apigee works really well with 3rd party Authn systems. There are two cases we can consider:
I did a little googleling on PingOne, and... honestly I cannot tell if it issues tokens based on OIDC or not.
But that is merely a detail. Regardless, the flow with a 3rd party Authn system plus Apigee would be something like this:
This is a really common pattern among companies who use Apigee. almost all of them have some sort of 3rd-party user Authn system. Active Directory, PingOne, Okta, Auth0, ... Google Signin, ... many options.
Thanks for the quick reply.Pingone do generates OIDc tokens, will try the approach.