This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Need help with accessing Management API using OAuth2

Posted on 04-05-2018 06:28 PM
Not applicable
Reply posted on --/--/---- --:-- AM

I want to setup Apigee deployment task in CD pipeline in VSTS.

Ref: https://apidocs.apigee.com/api-reference/content/using-oauth2-security-apigee-edge-management-api

There are two ways to access Management API... 1. Basic Auth 2. OAuth2.

Easy option is to use Basic Auth in the CD ie create a new user specifically for automation work and put its username and password in the release definitions in VSTS, but from security perspective its not safe. So we decided to go with OAuth2 approach.

Refering to the above doc, I see that the tokens generated by (https://login.apigee.com/oauth/token) have fix TTL ie 30 mins and the refresh token has TTL of 24 hours. But for automation, I want to generate tokens with long TTL say 1 year, so that I do not have to go and update tokens everyday in VSTS or any build server.


So is there any way to generate tokens with custom TTL for Management API?

1 3 392
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

No, there is no way to ask for a custom TTL, for example a 1-year lifetime. But: you can use the refresh-token endpoint to get a fresh token after your existing token expires.

The logic you use in your CI/CD pipeline should be smart enough to check for expiry on the token and auto-refresh it. Suppose your pipeline requires you to call 4 Administrative API calls in succession. Before each API call you probably want to check the expiry of the token, and if it will expire within 60 seconds, then you should refresh the token first, and then call the API call. For a larger margin of safety, you can turn that up to 180 seconds.

The access token is good for 30 minutes. But the refresh token, in my experience, is good for at least 7 days. Maybe more (sorry, I don't know for sure). This means if you have a 7-day old refreshtoken, you can get a new access token by just passing the refresh token to the /token endpoint.

For Apigee Edge Admin APIs, the logic to get a new token, or to refresh an existing token, looks like this (pseudo-code): 

  function refreshToken(expiredToken, cb) {
    var formparams = {
          refresh_token: expiredToken.refresh_token,
          grant_type : 'refresh_token'
        };
    return invokeTokenEndpoint(formparams, cb);
  };
  function getNewToken(arg1, cb) {
    var formparams = { grant_type : 'password' };
    if ( typeof arg1 == 'string' ) {
      formparams = merge(formparams, { username: conn.user, password: arg1 });
    }
    else if (arg1.passcode) {
      formparams = merge(formparams, { response_type: 'token', passcode: arg1.passcode });
    }
    else if (arg1.password) {
      formparams = merge(formparams, { username: conn.user, password: arg1.password });
      if (arg1.mfa_token) {
        formparams = merge(formparams, { mfa_token: arg1.mfa_token });
      }
    }
    return invokeTokenEndpoint(formparams, cb);
  };

This sort of logic is built into apigee-edge-js, a JavaScript library for invoking the Admin API of Apigee Edge, suitable for use from within nodejs scripts. It's also built into the Powershell module for the Apigee Edge Admin API.

Both of them follow the same kind of logic.

  1. upon first use, look in a well-known location for an existing token for the Apigee Edge Admin API
  2. is a token available?
    1. yes: check the expiry of the token. Is the token expired (or will it expire soon, like within 60 seconds)?
      1. yes: call the refresh token endpoint. stash the new token in the well-known location.
      2. no: nothing to do
    2. no (no token is available): obtain a new one using one of the mechanisms (username/password, passcode, MFA). stash the token in the well-known location.
  3. use the token

If you have some other scripting tool, you'd need to implement something to parallel that. OR, you could just use one of THOSE things, to refresh and stash the token, then use the stashed token from something else. (bash script, or C#, or whatever)

0 Likes

Posted on --/--/---- --:-- AM
mariathanner
New Member
In response to DChiesa
Reply posted on --/--/---- --:-- AM

Hi @Dino, so TTL is not changeable, but is the token (from /oauth/token) revokeable? Did not find it in the docs

https://docs.apigee.com/api-platform/system-administration/management-api-tokens

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to mariathanner
Reply posted on --/--/---- --:-- AM

Not as far as I know.