Product resource setup not working

Not applicable

I am not able to restrict developer apps from accessing my APIs. Please help.

My product setup:

Resources

Resource Path

/customers/*

API Proxy

DemoProxy

Developer Apps

MyApp

Now I am using the client_id and client_secret for MyApp (from the Developer App Details page) to access the following URLs:

  1. /v1/demoproxy/customers/
  2. /v1/demoproxy/customers/123
  3. /v1/demoproxy/customers/123/accounts

From my understanding, the current setup that I have should have allowed MyApp to only access #2 above. But in my case I am able to access all the 3.

Note: I do have verify API key enabled on DemoProxy.

What am I missing here?

0 2 171
2 REPLIES 2

sydub7
Participant IV

I tried your scenario and it worked for me. I have access only to #2 and gives the following error for #1 and #3

{
    "fault": {
        "faultstring": "Invalid ApiKey for given resource",
        "detail": {
            "errorcode": "oauth.v2.InvalidApiKeyForGivenResource"
        }
    }
}

Attached are the screenshots for product configuration and all 3 results.

screen-shot-2017-12-02-at-13447-pm.png
screen-shot-2017-12-02-at-13736-pm.png
screen-shot-2017-12-02-at-13754-pm.png
screen-shot-2017-12-02-at-13816-pm.png

@Ritwik Chatterjee,

I created a sample proxy with the basepath '/v1/demoproxy' and setup the resource path as '/customers/*' in the API Product similar to as described by you.

I made the API calls as per your example and found that I got successful response only for the following paths:

/v1/demoproxy/customers/123
/v1/demoproxy/customers/123/

I got 401 Unauthorized error for the following paths:

/v1/demoproxy/customers
/v1/demoproxy/customers/
/v1/demoproxy/customers/123/accounts

This is the expected behaviour. Please refer this doc for more information on the behaviour of APIs based on the resource path set to '/', '/*', or '/**'.

Considering that you are seeing a different behaviour, I suspect there must be some difference in the settings or the way the API calls are made. Can you please recheck the paths used at your end ? If you still have any issues, please share the trace file or org and API proxy names. I can investigate the issue and get back to you.