This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Is possible to verify if an access token is associated to a product instance?

Posted on 05-18-2016 04:44 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi All,

I have a doubt about the verify access token process.

Consider this scenario: if i have a product Apartment and there are more product instances as Apartment A (my apartment), Apartment B (your apartment) and so on. I know that the access token is associated to a product and not to a product instance through the client, so if I generate an access token for the product Apartment, could I have access to Apartment B (your apartment) with my access token? if it is possible, is this not correct?

Thanks,

Fabio

0 5 204
Topic Labels
0 Likes
Reply
5 REPLIES 5

Posted on --/--/---- --:-- AM
gnanasekaran
Staff
Reply posted on --/--/---- --:-- AM

I think there is some confusion on the terminologies - Pls refer here for more details on the data model.

Are you referring to API product?

API Product has a collection of api proxies [and resources]. It is just a definition, there are no instances of it. An apikey is subscribed to one or more API products. An accesstoken is obtained by an app - so its always associated to an apikey [Application] and hence to a API product

0 Likes
Reply

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Yep, I'm a little confused. Mi dispiace, ma, posso a speigare

"I know that the access token is associated to a product and not to a product instance through the client," ...

0 Likes
Reply

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

If you talk above example in term of proxy instead of product then yes .. you use the same access token for different proxy if all are bounded to same App.

0 Likes
Reply

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi Fabio Vassallo

I think you could use Oauth2.0 policy(GenerateAccessToken) to verify the consumer key/secret belongs to particular product.

For more information, please check here.

https://community.apigee.com/questions/20774/validating-both-client-id-and-secret.html

0 Likes
Reply

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi Fabio, I am a little confused about the term "Product Instance". Maybe you are referring to the the scope of a product?

If so, the scope of an access token is dependant on the scope of the product/s OR the scope of the developer app. Then when the VerifyAccessToken policy is called, if a scope is specified in the policy, then the access token scope must be defined in the policy to allow entry to the flow. This article here explains scopes and access tokens in great detail.

http://docs.apigee.com/api-services/content/working-scopes

Apologies if this is not what you are referring to when you mean "product instance" but it sounds similar to what you need. Let me know if you need more info on scopes.

0 Likes
Reply