Delegated OAuth using EdgeMicro

francois-xavier · 06-09-2016 04:34 AM

I currently see 3 cases for Edge-Cloud/Edge-Micro analytics with/without delegated OAuth:

When OAuth is provided by Apigee, everything is clear: analytics are built using data provided to Edge-Cloud (or Edge-Micro) through the OAuth token, as explained by http://docs.apigee.com/analytics-services/content/analytics-services-overview
When using Edge-Cloud and delegated OAuth, the API call comes with the foreign OAuth token to EdgeCloud, which is running an OAuth policy hooked to the delegated provider. The analytics are generated by Edge-Cloud
When using Edge-Micro with delegated OAuth, EMG runs a custom filter to validate the foreign OAuth token. In that case, how are the analytics generated & sent to Apigee? How to hook app definitions (client-id/secret) and developer definitions to the foreign OAuth provider? Using API keys? Other?

Do I miss the right integration model for EMG+Delegated OAuth to be able to have analytics?

Report Inappropriate Content

In your "EMG+Delegated OAuth" case, Microgateway would only send attributes related to such as latency, timestamps, error codes etc. It wont be able to send attributes that are usually present in Apigee generated OAuth tokens such as app name, developer id. What you can do however in that case is call Analytics module's finalizeRecord method to populate those attributes. As long as attribute names match and values are valid, they should show up on Edge.

francois-xavier

Ok, thank you @prabhat143@gmail.com. Looking at the existing analytics code (thanks to your hint about finalizeRecord), I found that code snippet:

    // oauth
    var token = req.token;
    if (token) {
      record.developer_email = token.developer_email;
      record.developer_app   = token.application_name;
      record.access_token    = token.access_token;
      record.client_id       = token.client_id;


      var prodList = token.api_product_list;
      if (prodList && prodList.length) {
        if (typeof prodList === 'string') { prodList = prodList.slice(1, -1).split(','); }
        // hack: analytics server only accepts a single product
        record.api_product = prodList[0];
      }
    }


    self.finalizeRecord(req, resp, record, cb);

I I populate the fields of req.token with valid values known to APIgee, it seems like I should be able to use the un-modified "analytics" plugin down-stream my own OAuth validation filter. Is my guess correct?

The only value I can not obtain here is "access_token", because it is coming from my own OAuth server rather than APIgee's one. So do I need to obtain one anyway? Or can I skip this field?

francois-xavier

Well, as you already knew, analytics is always the first plugin in the chain... and cannot be configured to be in another place. So I will test loading my own plugin, with the same code as analytics & calling into the same middleware ... but named differently so that I can have a chance to set the necessary records fields with APIgee-valid data. Will keep you posted & thanks again for the tip.

Report Inappropriate Content

@Francois-Xavier KOWALSKI can you shed some light on how did you implement EMG+Delegated OAuth - one option I can think of is to modify the authUri on the *-config.yaml file to point to delegated oAuth provider however, that could be a a greater engineering effort because the oAuth plugin on EMG needs modifications as well. How did you approach the problem of using EMG with delegated oAuth provider?

Former Community Member

@Sundar Krishnadas, you might want to consider this article