Clarification on some X-HTTP headers passed down-stream by EdgeMicro

Looking at the HTTP headers that are passed to my target service by EMG, I have a few x-headers (I modified 😞

		'x-authorization-claims': 'eyJzY29wZXMiOlsidXJuOmhwOmFwaTplbXM6c2VuZF9lbWFpbCIsInVybjpocDphcGk6ZW1zOnNldF90ZW1wbGF0ZSJdfQ==',
		'x-request-id': 'caea4180-2639-11e6-bf35-97b6d40161f1.335a8db0-263a-11e6-bf35-97b6d40161f1',
		'x-forwarded-for': 'undefined::ffff:127.0.0.1',
		'x-forwarded-host': 'undefinedlocalhost:5000'

The first one 'x-authorization-claims' carries the scopes requested by my application, base-64-encoded:

$ cat | base64 -D

eyJzY29wZXMiOlsidXJuOmhwOmFwaTplbXM6c2VuZF9lbWFpbCIsInVybjpocDphcGk6ZW1zOnNldF90ZW1wbGF0ZSJdfQ==

{"scopes":["urn:hp:api:ems:send_email","urn:hp:api:ems:set_template"]}

[Q#1] Is it safe for me to rely on this x-header to get the scopes granted to the app by APIgee Edge?

[Q#2] what are the 'x-forwarded-for' and 'x-forwarded-host' headers for? Is it safe to drop them before reaching the target service (eg. using a custom plugin)?

[Q#3] Is 'x-request-id' private to APIgee (eg. assigned by Edge during the exchange EMG<=>Edge to validate the OAuth token), or is it a convenience header assigned by EMG at each transaction for the target service to use?

0 1 848
1 REPLY 1

Hello @Francois-Xavier KOWALSKI,

[Q#1] Is it safe for me to rely on this x-header to get the scopes granted to the app by APIgee Edge?

NO, It is just a base64 encoded value -

> it would be better to send the JWT received by EMG to target or

> EMG could pass additional signature to prove that the request originated from EMG.

> only whitelist EMG's at the target service

or any other mechanism to establish trust b/w EMG -> target

If you can guarantee that the request originated from EMG - then you can rely on this header.

[Q#2] what are the 'x-forwarded-for' and 'x-forwarded-host' headers for? Is it safe to drop them before reaching the target service (eg. using a custom plugin)?

> x-forwarded-for would contain the IP of the client which called EMG,

> x-forwaded-host will contain the hostname the client used to call EMG.

Some targets might use it for logging/audit, some targets might use them to rewrite URLs in the response to match EMG's url. So the answer is it depends on your usecase, if you do not need it, it is safe to drop them

[Q#3] Is 'x-request-id' private to APIgee (eg. assigned by Edge during the exchange EMG<=>Edge to validate the OAuth token), or is it a convenience header assigned by EMG at each transaction for the target service to use?

x-request-id - yes, the latter, its private to Apigee and assigned by EMG for each API call

Thanks,