Solved: AEM- API Key validation doesn't work when custom c...

anshul_ · 01-31-2017 12:21 PM

API key validation is not working in the Apigee edge micro-gateway even when all the configuration is in place.

After some investigation, we have figured out that AEM doesn't support API key validation when someone uses his own certificate to sign and validate the JWT token instead of the one created by Apigee.

So, as per my understanding, this is how it is working-

1. Valid API Key is passed in the x-api-key header.
2. EM requests the edgemicro-auth API to verify API key and in response get a JWT, which is signed with private key stored in secure vault 'microgateway',
3. EM validates the JWT against the certificate downloaded from the URL configured as jwt_public_key in the configuration YAML. Once the JWT is validated the request is forwarded to the backend.

So, our problem lies in the last step as the EM can not validate the JWT as it signed and verified using different certificates. When I point the jwt_public_key to the default certs provided by Apigee, it works fine.

anshul_

Thanks @Srinandan Sridhar Then we have two workarounds-

1. As you suggested, we can use management APIs to overwrite the key/cert pair with ours.
2. (In case we don't want to use vault) We can create an API proxy which can verify the API key, create a JWT signed with our private key and sent it in response. We can configure verify_api_key_url in the configuration file with that API's endpoint.

View solution in original post

anshul_

@Srinandan Sridhar starting this new thread as you suggested.

Former Community Member

Thank you @aagrawal

You are largely correct about how things work. EM does not call Edge (publicKey) for every API call. It is called at startup and reload.

You can see the public key by accessing the endpoint as https://{org}-{env}.apigee.net/edgemicro-auth/publicKey

Information (JWT) need to validate an API Key is provided by https://{org}-{env}.apigee.net/edgemicro-auth/verifyApiKey

The response of this API call is a JWT (signed). The code that produces the JWT uses a private key that is stored in the vault. The public key that EM has access to must match with the private key used to sign the JWT.

When the edgemicro configure command is run (for the first time against an org/env), the public/private key pair is generated and stored in the vault (vault name: microgateway).

You can use management APIs to overwrite the key/cert pair with your own, it should work. I have I tried it before and it didn't cause any problems.

anshul_

Thanks @Srinandan Sridhar Then we have two workarounds-

1. As you suggested, we can use management APIs to overwrite the key/cert pair with ours.
2. (In case we don't want to use vault) We can create an API proxy which can verify the API key, create a JWT signed with our private key and sent it in response. We can configure verify_api_key_url in the configuration file with that API's endpoint.

Former Community Member

Yes, That'll work. As long as the verify_api_key_url points to an endpoint that returns a public key (which can be used to verify the JWT).

AEM- API Key validation doesn't work when custom certificates are configured