This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

​ClientKey (APIKey) validation is successful if a developer app is not associated with the product (API invoked)

Posted on 11-22-2017 04:34 AM
Not applicable
Reply posted on --/--/---- --:-- AM

All,

Can you please help us with this?

Please find below the steps :

Step 1 - Remove the API Product(i.e Authorisation – Internal) from the newly created Dev App such as Stream5 - QA - V2 - Client - XXX - Tomcat – Authorisation Than hit the V2- Authorisation endpoint for one of the market belongs to XXX.

Expected The call to (V2 - Authorisation – Internal Proxy) should fail, with a security error at VerifyClientKey policy level, as a dev app is trying to access a proxy in an API Product, i.e not subscribed.

The call went through successfully, with returning required set of data such as API key for that market.

Please note 'Key Approval Type' is set to Manual and still the doesn't fail and we are able to access the proxy.

Regards

Girish

1 1 149
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Yes, I think I understand.

you have a developer app, and it has a credential, with no API Product associated to it. When you use that credential at runtime, the credential is approved for use with any API Proxy.

I think this is working as Designed. As described in this article written by the intrepid Will Witman @wwitman, the Developer App / Product / Proxy configuration is a means for restricting access to various resources. The scenario described in that article is different, but related.

The point is: you must include an API Product if you want to restrict the use of the API Key. And in the API Product, you must include at least one API Proxy.

Second - the Key Approval Type applies to an API Product.

5993-key-approval-type.png

It affects whether keys requested for that API Product will be approved manually when requested by the developer when signed into the devportal. The setting of Key Approval Type does not affect existing keys or credentials. Think of it this way: Key APproval type affects the status of future keys (credentials) requested through the devportal. But existing apps and credentials (keys) have a status all their own.

If the app is Approved and the Credential is Approved, and if the product within the credential is approved, then the credential will be accepted, irrespective of the status of "Key Approval Type" on the API Product. You can see the three relevant things on the dev app details page:

5995-dev-app-details.png

One could say that this model is perhaps "too flexible". Who wants to set the approval status of an individual product on an individual credential? But some people do. Anyway this is the model we have. If all of those are "approved" then the credential is valid. If there is no API PRoduct listed for the credential, then the credential is valid for all.

Note - if you have removed all API Products from your credential, then ... obviously the Key Approval Type setting on a particular API Product will have no affect on any credential in any developer app.

Does this help?

I guess the tl;dr is: "don't remove all the API Products from your credentials, and expect them to still restrict access."