This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

what is the use of consumer secret in an api request to an api proxy of security type 'api key'

Posted on 06-27-2017 09:36 PM
Not applicable
Reply posted on --/--/---- --:-- AM

When you secure your API proxy using either apikey type or oauth and use their relevent api products in your app you get a consumer key and a consumer secret. In case of oauth you exchange these 2 for an access token which you then use in your api request headers. But in case of api key authentication type, you can just pass the consumer key (which is also referred to as api key in documentation http://docs.apigee.com/tutorials/secure-calls-your-api-through-api-key-validation) If the app just needs an api key to proceed with sending requests what is the point in issuing a secret as well ? Is it used for any other purpose ?

Solved Solved
1 2 5,393
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
anilsr
Staff
Reply posted on --/--/---- --:-- AM

@msm ,

In API Key Verification, Yes, Secret is not used. In general, Apigee generates both the keys. It's upto you which security mechanism you would like to use. Depending on the security mechanism you choose, You will use API Key and / or Secret.

Hope it helps.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
anilsr
Staff
Reply posted on --/--/---- --:-- AM

@msm ,

In API Key Verification, Yes, Secret is not used. In general, Apigee generates both the keys. It's upto you which security mechanism you would like to use. Depending on the security mechanism you choose, You will use API Key and / or Secret.

Hope it helps.

Jump to Solution

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to anilsr
Reply posted on --/--/---- --:-- AM

Just an addendum....

In API Key verification, the secret is not used, as Anil said.

BUT, it is possible to compose multiple levels of security into a single system.

For example, imagine an API that requires an HMAC of the payload to be sent in the header. (An HMAC is just a keyed MAC). In this case, the consumer key is the ... API key, and the consumer secret is the "shared secret" that is used by the client for computing the HMAC and used by the server (API Proxy in this case) for verifying the HMAC.

The request would look like: 

POST /foo/bar
Host: my-api.example.com
APIKey: 238hckjshcf9834rudd
HMAC: 94380984059849209432uj3wrj93493
...

...and the way the client produces the HMAC is 

hmac = HmacFunction(key, message)

...where key is the consumer secret and "message" is whatever is being MAC'd. Like the message payload, or ... some combination of the URL path, the headers, and the date, or... anything you like.

OAuth1.0a used basically this method.

The way you would implement this in Apigee Edge is:

  • VerifyApiKey - to verify the inbound API Key. This step also implicitly loads the consumer secret into the message context, in the API Proxy.
  • JS or Java callout to compute the HMAC, using whatever payload is appropriate and the consumer secret that was loaded in the prior step.
  • throw a fault if the computed HMAC does not match the transmitted HMAC. You can do this in the proxy flow, or in the JS or Java callout.

There is a Java callout published here that calculates and verifies HMACs, along with a working demonstration proxy.

Jump to Solution
0 Likes