This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Developer App Credentials, IP whitelisting?

Posted on 04-16-2017 09:25 PM
divyaachan
Staff
Reply posted on --/--/---- --:-- AM

We use the developer portal to allow authenticated users to create developer apps with a set of credentials for access to our APIs. I would like to add the ability to lock certain sets of credentials to be functional only for API calls that come from certain whitelisted IPs. Preferably, these IPs would be set in the developer portal also, by the user in question administering their own API credentials.


My initial thinking is that this should be possible, but I'm not sure if so and where I would go to implement it. Can custom attributes be added to products or developer apps that would add a form to the developer portal for this IP to be saved? I presume it would need to be saved in such a way as that in our API proxy flows we can access it after the API key was validated.

Does this sound like something that should be straightforward & accomplishable? Can you point me towards the right documentation to implement it?

1 1 846
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

> I would like to add the ability to lock certain sets of credentials to be functional only for API calls that come from certain whitelisted IPs

As you probably know, in Apigee Edge it is possible to attach meta-data to any entity under management. So you could attach a list of IP addresses or ranges to the developer entity. Then, any credential under that developer would be restricted to those IP ranges.

Or, you could attach the IP address ranges directly to the credential itself. Then if there are multiple credentials, each might get a different IP address range restriction.

Implementing the restriction at runtime will not be difficult. You need to verify the credentials via VerifyApiKey or similar. That will implicitly bring into the message context the custom attributes including the IP Addresses.

Then you can include a step protected by a condition. "If the address custom attribute exists, then apply an AccessControl policy". (Or you could do the same with a JavaScript step)

The trickiest part is producing the user interface in the developer portal to allow the developer to inquire and set the IP Address ranges for the credential or for the developer. This isn't "hard" but will require some Drupal customization.

0 Likes