This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Retrieving Application/Developer/Company Info from Client Credentials

Posted on 03-15-2016 02:31 PM
williamking
New Member
Reply posted on --/--/---- --:-- AM

When an OAUTH token is part of the flow, one can retrieve information associated with the token. For example the application name or the developer id.

How can you retrieve the same values as part of a policy where client credentials have been provided (e.g. "Authorization: Base64-encoded{key:secret}")?

Solved Solved
1 3 301
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ceber
Staff
Reply posted on --/--/---- --:-- AM

You can use the Access Entity policy to look up this and other types of information:

http://docs.apigee.com/api-services/reference/access-entity-policy

You could also just use a ValidateApiKey policy on the decoded client id. Would be worth trying both to see if there's a benefit to one over the other.

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
ceber
Staff
Reply posted on --/--/---- --:-- AM

You can use the Access Entity policy to look up this and other types of information:

http://docs.apigee.com/api-services/reference/access-entity-policy

You could also just use a ValidateApiKey policy on the decoded client id. Would be worth trying both to see if there's a benefit to one over the other.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
williamking
New Member
Reply posted on --/--/---- --:-- AM

Thanks @Carlos Eberhardt. After reading through the docs for both approaches, I went with the `VerifyAPIKey` policy.

In case anyone does not realize it, the "API Key" is the "key" portion of your app's key/secret pair.

For those interested, this is what I did:

1. Upload base64.js as a script

2. New JS policy (with `<IncludeURL>jsc://base64.js</IncludeURL>`) that parses `Authorization` header for the encoded credentials, calls `Base64.decode` on them, and gets the API Key (section before the colon)

3. Save API key as variable (`apikey`) using `context.setVariable`

4. Add "VerifyAPIKey" policy, named "ApiKey" with `<APIKey ref="apikey"/>`

Subsequent policies now have access to the values associated with the key using the syntax:

verifyapikey.ApiKey.{property}

For example: 

verifyapikey.ApiKey.developer.email
Jump to Solution

Posted on --/--/---- --:-- AM
ceber
Staff
In response to williamking
Reply posted on --/--/---- --:-- AM

Glad you got it working as desired.

You could simplify (arguably) a bit further if you wanted by using the built in Basic Authentication policy. Check out the "inbound decoding" example here: http://docs.apigee.com/api-services/reference/basic-authentication-policy

Jump to Solution
0 Likes