This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Consumer key, secret expiration vs access token expiration

Posted on 06-28-2017 01:38 AM
Not applicable
Reply posted on --/--/---- --:-- AM

In configuring oauth2 in apigee, we can set a validity period for app consumer key and secret pair via the UI and for access token via modifying the xml for oauth proxy. (by modifying the value for <ExpiresIn> element) In case the access token expires we can use the current consumer key, secret pair to regenerate an access token. What if the consumer key, secret pair expires, is there a way to regenerate them as well ? And would like to know the use in limiting time for consumer key, secret pair because an access token set to expire within a given time assures limited access to the backend api. (IMO)

And in case api key security type was used in creating the api proxy, then we only need the api key(which is the same as consumer key in apigee context) to send an api request. In that case if we opt to set a time limit for consumer key, secret pair that means the api key associated with the proxy also expires. If we need to invoke the api again then we need to use the new consumer key as our api key. This is a bit confusing, because i thought api keys do not have a time limit whereas access tokens used in oauth have both a time limit and a scope.

In short i am just trying to figure out how apigee has implemented the concepts oauth and api key to secure apis.

Solved Solved
1 2 1,793
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM

HI @msm

That is right. If the client key and secret are time bound, they would expire after that. These are generally use case driven. There could be apps that are created just to validate and perform a trial on various products. For those scenarios, these time based key/secret are useful. You don't have to worry about going back and revoking them, its taken care automatically.

These are just features that are supported by the product and its up to the developer (consumer) to setup his app accordingly.

As you mentioned, if the key and secret expire, then the calls to the API will fail and also the call to generate the token will fail. The developer will need to re-configure the app and regenerate the pair, use that going forward.

Hope this helps

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM

HI @msm

That is right. If the client key and secret are time bound, they would expire after that. These are generally use case driven. There could be apps that are created just to validate and perform a trial on various products. For those scenarios, these time based key/secret are useful. You don't have to worry about going back and revoking them, its taken care automatically.

These are just features that are supported by the product and its up to the developer (consumer) to setup his app accordingly.

As you mentioned, if the key and secret expire, then the calls to the API will fail and also the call to generate the token will fail. The developer will need to re-configure the app and regenerate the pair, use that going forward.

Hope this helps

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
In response to ssvaidyanathan
Reply posted on --/--/---- --:-- AM

thanks, that was helpful

Jump to Solution
0 Likes