Few Questions on Microgateway OAuth implementation

Not applicable

Hi Team,

I have few questions regarding OAuth implementation in Microgateway:

1) How does OAuth works internally in edgemicro? Does it make a call to apigee edge when generating token using CLI??

2) Is generation of token through CLI is different from that using API call??
3) For validation of OAuth token does it go to Apigee edge or it validates within the microgateway??

4) Can we set the expiry time for OAuth token in microgateway?

5) What is best practice to secure our internal APIs using microgateway?? Shall we use both API key validation and OAuth or either will do?? Because as per docs it says that for securing your APIs either use API key validation or OAuth.

Thanks.

0 8 719
8 REPLIES 8

Former Community Member
Not applicable
@Vipul Agarwal

1: Apigee Edge Microgateway uses JWT as an OAuth Bearer token. It does make a call to Edge to generate (and download) the public key.

2: The CLI also uses the same API call.

3: JWTs are self-validating. There is no need for MG to reach out to Edge for validation.

4: Yes, you can. I need to look up how.

5: MG support client credentials grant (and with some user extensions, password grant). Client credentials grant takes client id (aka API key) and secret. If you're using OAuth, API key is already there. There is no value is adding a separate API key check.

In my opinion, API key is not a security measure. It is a good counting measure (for analytics, quota etc.).

@Srinandan Sridhar: Can you please clarify on point 1 & 2 and where exactly the token generation happens?

Former Community Member
Not applicable

@Vipul Agarwal

When the "edgemicro configure" command is executed, a public/private key pair is generated. Also, in your org, there is a proxy called "edgemicro-auth" get deployed (if it doesn't already exist). This proxy exposes the public key. You can access it by calling: http://{org}-{env}.apigee.net/edgemicro-auth/publicKey

This is the same API that MG also calls to get the public key. The public key itself is stored in Apigee's vault (encrypted storage).

Hi Srinandan, thanks for your answers. Could you please elaborate #5 of how to support password grant? What user extensions are required to enable this? thanks,

Former Community Member
Not applicable

where is the secret key/ private key for jwt stored? If jwt validation happens at micro gateway or apigee edge level? If apigee edge connectivity is needed for each api call to MG to pass through successfully?

Former Community Member
Not applicable

1) The private key is stored in Apigee Edge.

2) Validation happens exclusively on the microgateway

3) Apigee Edge connectivity is NOT needed for API calls to passthrough MG

Not applicable

What would be the mechanisms to implement Security considering that the present setup of API Key/Oauth is to ensure counting measures are in place. Is it possible to write custom Oauth on top of the existing one (or extend for Password grant oauth type) and also what would be the dependency and connectivity requirements to Apigee Edge for this to function?