This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee-PCF route service with microgateway

Posted on 09-19-2017 07:03 PM
Not applicable
Reply posted on --/--/---- --:-- AM

We are doing some POC on using Apigee microgateway with PCF on-premise environment but encountering some issues.

Let’s say, we have already put an echo app on PCF with some URL “http://xxxxxx.spi-pcf.example.com/mgpoc/” which just has dummy echo logic.

Our local microgateway.

We already setup the apigee microgateway on our own PC. And We are able to call the echo app through this local microgateway with a “x-api-key”.

GET http://<my PC’s microgateway>/mgpoc/

x-api-key: Ryx….

I can call the app through this local microgateway with a authorization bearer token as well like this:

GET http://<my PC’s microgateway>/mgpoc/

Authorization: Bearer eyJhb…..

Microgateway on PCF

We also deployed the microgateway on PCF as app instance and it is find as well.

GET http://<PCF microgateway app>/mgpoc/

x-api-key: Ryx….
GET http://<PCF microgateway app>/mgpoc/

Authorization: Bearer eyJhb…..

Both calls are OK.

Failed when trying with PCF-apigee routing service broker

However, we tried following the apigee docs to setup PCF apigee route service (microgateway) and binding the app to the route service

https://github.com/apigee/pivotal-cf-apigee/tree/master/apigee-cf-service-broker#microgateway

And then we call the echo app again, it would failed.

HTTP/1.1 401 Unauthorized
Content-Length: 84
Content-Type: application/json
X-Vcap-Request-Id: ....

{
"error": "missing_authorization",
"error_description": "Missing Authorization header"
}

It said that 401 unauthorized and ask me to put the authorization header.

We tried again to call by passing “x-api-key: …” or “Authorization: Bearer …” headers. But it is always returning 403 Forbidden like this:

HTTP/1.1 403 Forbidden
Content-Type: application/json
X-Response-Time: 1757
X-Vcap-Request-Id: ....
Content-Length: 25

{
"error": "access_denied"
}

Do you know any reason why after we binded the app to the route-service, the app service call with API key/Authorization header would have the 403 access denied error?

0 1 317
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM
@Airic

There are a couple of issues here:

#1: How to access PCF apps protected by MG?

When using the Microgateway as a service broker, you should be accessing your PCF application as you always did. In your example that would be:

http://xxxxxx.spi-pcf.example.com/mgpoc/

If microgateway was configured correctly, then, a call made to that URL is in fact sent to MG first. After MG has validated to request, the call is forwarded to your CF application. You shouldn't have to access the MG app endpoint directly.

Please see this link for a lab exercise on how this works.

#2: How to allow consumers access to PCF apps?

When the "cf bind-route-service" command is run, an Apigee API Proxy is deployed. It follows the convention edgemicro_{something}.

If you want to protect the PCF app with API Keys or OAuth, then you must create an API Product with at least the following info:

  • Add the edgemicro_{something} API Proxy
  • Add the edgemicro-auth API Proxy
  • Custom Resources for: / and /** (this is only if you want the entire API to be available. you can edit this to make portions of the API available)
0 Likes