EMG- x-api-key in authorization header gives 403

anshul_
Participant IV

Apigee Edge Micro Gateway is not working for the API key. Upon passing the x-api-key header in request I get 403. The configuration has been set as per the documentation. Developer app is approved as well. I had put few debug statement in edgemicro-auth API to find out that when the API makes the call to verify API key it gets the following response in result:

oauth result:{"error":"oauth.v2.InvalidApiKeyForGivenResource","error_description":"com.apigee.oauth.v2.OauthAdaptorVerificationException{ code = oauth.v2.InvalidApiKeyForGivenResource, message = Invalid ApiKey for given resource, associated contexts = []}"}
Solved Solved
0 10 1,014
1 ACCEPTED SOLUTION

anshul_
Participant IV

1. As suggested by Srinandan, we can use management APIs to overwrite the key/cert pair with ours.

2. (In case we don't want to use vault) We can create an API proxy which can verify the API key, create a JWT signed with our private key and sent it in response. We can configure verify_api_key_url in the configuration file with that API's endpoint.

View solution in original post

10 REPLIES 10

Are you attempting to use a free or paid org with edgemicro currently?

-Matt

Former Community Member
Not applicable

That error appears to be from Edge policy and not EM. Please my note about API products in the other section.

anshul_
Participant IV

Hi Matt,

I am using a paid org. I didn't add edgemicro-auth api to the product because of which verify api key validation in edgemicro-auth api was failing. But now the edgemicro-api is working as expected but the edgemicro-gateway is giving 401.

Does this response code also have a response body?

yes, that is { "error": "invalid_token" }

anshul_
Participant IV

API key validation is not working in the Apigee edge micro-gateway even when all the configuration is in place.

After some investigation, we have figured out that AEM doesn't support API key validation when someone uses his own certificate to sign and validate the JWT token instead of the one created by Apigee.


So, as per my understanding, this is how it is working-

1. Valid API Key is passed in the x-api-key header.
2. EM requests the edgemicro-auth API to verify API key and in response get a JWT, which is signed with private key stored in secure vault 'microgateway',
3. EM validates the JWT against the certificate downloaded from the URL configured as jwt_public_key in the configuration YAML. Once the JWT is validated the request is forwarded to the backend.

So, our problem lies in the last step as the EM can not validate the JWT as it signed and verified using different certificates. When I change the value of jwt_public_key to the default value provided by Apigee it works fine.

@aagrawal

Unfortunately, I have the same issue when I use the default certificate created by Edge Microgateway. I also receive 403 access denied and I was troubleshooting this issue as well with Edge on-premises 4.16.09.02. I don't think this is related to the certificates.

The error originates in Edge, not on Edgemicro. Once the error is returned from Edge to EM, EM changes the error message. I think the issue is in the apigee-access module. For some reason this module is not able to validate the provided API key, so it returns an error "access denied."

@swilliams @Srinandan Sridhar

I am currently using EM v2.5.12 , and i am facing the same while accessing the proxies, in both the case x-api-key and oauth jwt . Any solution for this yet.?

{
    "error": "access_denied"
}

Former Community Member
Not applicable

This is an old thread. Can you please open a new thread and explain what you did and what error you're seeing?

anshul_
Participant IV

1. As suggested by Srinandan, we can use management APIs to overwrite the key/cert pair with ours.

2. (In case we don't want to use vault) We can create an API proxy which can verify the API key, create a JWT signed with our private key and sent it in response. We can configure verify_api_key_url in the configuration file with that API's endpoint.