This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

authentication based on app name

Posted on 05-07-2018 05:32 AM
sjm2000
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Dear Team,

I have one end point /customers/retail

.I would to specify authentication based on app name.

Requirement is this:.

App1 should use "apikey" and

App2 should use auth2 token for the same end point .


Is this solution possible?


One method i found was passing both apikey in both App1 and App2 .

However this seems crude for me.

Is there any better solutions please? 🙂 Any help is really appreciated


Best Regards

Sujith Mathew

Solved Solved
1 3 618
Topic Labels
Jump to Solution
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes, possible. But you will need to do some extra processing in your Proxy to handle the case.

You will need to have a flow like this: <Step>

  <Condition>(request.header.Authorization = null) and (request.header.apikey = null)</Condition>
  <Name>RaiseFault-MissingCredentials</Name>
<Step>

<Step>
  <Condition>NOT (request.header.Authorization = null) and Not (request.header.apikey = null)</Condition>
  <Name>RaiseFault-WrongCredentials</Name>
<Step>

<Step>
  <Condition>NOT (request.header.apikey = null)</Condition>
  <Name>VerifyApiKey</Name>
<Step>

<Step>
  <Condition>NOT (request.header.Authorization = null)</Condition>
  <Name>OAuthV2-VerifyAccessToken</Name>
<Step>

<Step>
  <Condition>(NOT (access_token = null)) and (developer.app.name = "App1")</Condition>
  <Name>RaiseFault-IncorrectCredentials</Name>
</Step> 

<Step>
  <Condition>=(access_token = null) and (developer.app.name = "App2")</Condition>
  <Name>RaiseFault-IncorrectCredentials</Name>
</Step>

I don't like the idea, because this implies hard-coding app names into the API Proxy. A better approach would be to examine a custom attribute on the API Product or on the App that indicates the kind of credential that is required.

The flow for that would be similar. The key thing is you need to verify the credentials (apikey or token) first, in order to figure out the name of the developer app.

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
amitkumar2091
New Member
Reply posted on --/--/---- --:-- AM

Just thinking out loud , you can set a flag in app's custom attribute if control is not an issue for you to check whether OAuth token validation is required or not.

custom-attribute.png

Disadvantage - VerifyAPIKey policy is going to be executed in both cases.

Advantage - You will not hard code app name in your condition and can create multiple apps of both category without modifying proxy in any way.

<Step>
	<Name>VerifyAPIKey</Name>
</Step>
<Step>
       	<Name>SharedFlow-VerifyAccessToken</Name>
        <Condition>(verifyapikey.VerifyAPIKey.isOAuthValidationRequired  = true)</Condition>
</Step>

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes, possible. But you will need to do some extra processing in your Proxy to handle the case.

You will need to have a flow like this: <Step>

  <Condition>(request.header.Authorization = null) and (request.header.apikey = null)</Condition>
  <Name>RaiseFault-MissingCredentials</Name>
<Step>

<Step>
  <Condition>NOT (request.header.Authorization = null) and Not (request.header.apikey = null)</Condition>
  <Name>RaiseFault-WrongCredentials</Name>
<Step>

<Step>
  <Condition>NOT (request.header.apikey = null)</Condition>
  <Name>VerifyApiKey</Name>
<Step>

<Step>
  <Condition>NOT (request.header.Authorization = null)</Condition>
  <Name>OAuthV2-VerifyAccessToken</Name>
<Step>

<Step>
  <Condition>(NOT (access_token = null)) and (developer.app.name = "App1")</Condition>
  <Name>RaiseFault-IncorrectCredentials</Name>
</Step> 

<Step>
  <Condition>=(access_token = null) and (developer.app.name = "App2")</Condition>
  <Name>RaiseFault-IncorrectCredentials</Name>
</Step>

I don't like the idea, because this implies hard-coding app names into the API Proxy. A better approach would be to examine a custom attribute on the API Product or on the App that indicates the kind of credential that is required.

The flow for that would be similar. The key thing is you need to verify the credentials (apikey or token) first, in order to figure out the name of the developer app.

Jump to Solution

Posted on --/--/---- --:-- AM
sjm2000
Silver 1
Silver 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

i have modified to suit my use case better in fact- thank you for excellent support

	 <Step>
                <Condition>NOT (developer.app.name = "app_x")</Condition>
                <Name>VerifKeySetKey</Name>
            </Step>
            <Step>
                <Condition>(developer.app.name = "app_x")</Condition>
                <Name>OAuth-v20-1</Name>
            </Step
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
amitkumar2091
New Member
Reply posted on --/--/---- --:-- AM

Just thinking out loud , you can set a flag in app's custom attribute if control is not an issue for you to check whether OAuth token validation is required or not.

custom-attribute.png

Disadvantage - VerifyAPIKey policy is going to be executed in both cases.

Advantage - You will not hard code app name in your condition and can create multiple apps of both category without modifying proxy in any way.

<Step>
	<Name>VerifyAPIKey</Name>
</Step>
<Step>
       	<Name>SharedFlow-VerifyAccessToken</Name>
        <Condition>(verifyapikey.VerifyAPIKey.isOAuthValidationRequired  = true)</Condition>
</Step>
Jump to Solution
0 Likes