We have a set of API's but we are not having any security mechanism implemented so far.
our API's will be accesed by web/mobile. So we are thinking to implement Client_credentials grant type.
As API's are already in place we want to enforce security from the global level (through flow hooks precondition) and creating a shared flow that validates the authtoken.
I followed the link - https://docs.apigee.com/api-platform/tutorials/secure-calls-your-api-through-oauth-20-client-credent...
I will be generating token through Oauth default proxy that is bundled or provided by default.
But, if i use preflow flow and attach the shared flow there. Then even while calling Oauth endpoint /oauth/client_credential/accesstoken?grant_type=client_credentials to generate the token i get an exception that should come for validate token.
{ "fault": { "faultstring": "Invalid Access Token", "detail": { "errorcode": "keymanagement.service.invalid_access_token" } } }
how can i apply it for all proxy/endpoints except Oauth. Is there any other better alternate way to handle this.
Hi,
Not sure the exact solution for this problem but I have one work-around. you can check the conditions like below in your shared-flow bundle to not the execute proxy on specific cases -
<Step>
<Condition>(!request.path MatchesPath "/oauth/*")</Condition> <Name>APIkeyVerify</Name>
</Step>
yes - use a condition in the logic of the SharedFlow to avoid Validating the token if the request is to obtain a new token.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |