Dear Team,
I have one end point /customers/retail
.I would to specify authentication based on app name.
Requirement is this:.
App1 should use "apikey" and
App2 should use auth2 token for the same end point .
Is this solution possible?
One method i found was passing both apikey in both App1 and App2 .
However this seems crude for me.
Is there any better solutions please? 🙂 Any help is really appreciated
Best Regards
Sujith Mathew
Solved! Go to Solution.
Yes, possible. But you will need to do some extra processing in your Proxy to handle the case.
You will need to have a flow like this: <Step>
<Condition>(request.header.Authorization = null) and (request.header.apikey = null)</Condition> <Name>RaiseFault-MissingCredentials</Name> <Step> <Step> <Condition>NOT (request.header.Authorization = null) and Not (request.header.apikey = null)</Condition> <Name>RaiseFault-WrongCredentials</Name> <Step> <Step> <Condition>NOT (request.header.apikey = null)</Condition> <Name>VerifyApiKey</Name> <Step> <Step> <Condition>NOT (request.header.Authorization = null)</Condition> <Name>OAuthV2-VerifyAccessToken</Name> <Step> <Step> <Condition>(NOT (access_token = null)) and (developer.app.name = "App1")</Condition> <Name>RaiseFault-IncorrectCredentials</Name> </Step> <Step> <Condition>=(access_token = null) and (developer.app.name = "App2")</Condition> <Name>RaiseFault-IncorrectCredentials</Name> </Step>
I don't like the idea, because this implies hard-coding app names into the API Proxy. A better approach would be to examine a custom attribute on the API Product or on the App that indicates the kind of credential that is required.
The flow for that would be similar. The key thing is you need to verify the credentials (apikey or token) first, in order to figure out the name of the developer app.
Just thinking out loud , you can set a flag in app's custom attribute if control is not an issue for you to check whether OAuth token validation is required or not.
Disadvantage - VerifyAPIKey policy is going to be executed in both cases.
Advantage - You will not hard code app name in your condition and can create multiple apps of both category without modifying proxy in any way.
<Step> <Name>VerifyAPIKey</Name> </Step> <Step> <Name>SharedFlow-VerifyAccessToken</Name> <Condition>(verifyapikey.VerifyAPIKey.isOAuthValidationRequired = true)</Condition> </Step>
Yes, possible. But you will need to do some extra processing in your Proxy to handle the case.
You will need to have a flow like this: <Step>
<Condition>(request.header.Authorization = null) and (request.header.apikey = null)</Condition> <Name>RaiseFault-MissingCredentials</Name> <Step> <Step> <Condition>NOT (request.header.Authorization = null) and Not (request.header.apikey = null)</Condition> <Name>RaiseFault-WrongCredentials</Name> <Step> <Step> <Condition>NOT (request.header.apikey = null)</Condition> <Name>VerifyApiKey</Name> <Step> <Step> <Condition>NOT (request.header.Authorization = null)</Condition> <Name>OAuthV2-VerifyAccessToken</Name> <Step> <Step> <Condition>(NOT (access_token = null)) and (developer.app.name = "App1")</Condition> <Name>RaiseFault-IncorrectCredentials</Name> </Step> <Step> <Condition>=(access_token = null) and (developer.app.name = "App2")</Condition> <Name>RaiseFault-IncorrectCredentials</Name> </Step>
I don't like the idea, because this implies hard-coding app names into the API Proxy. A better approach would be to examine a custom attribute on the API Product or on the App that indicates the kind of credential that is required.
The flow for that would be similar. The key thing is you need to verify the credentials (apikey or token) first, in order to figure out the name of the developer app.
i have modified to suit my use case better in fact- thank you for excellent support
<Step> <Condition>NOT (developer.app.name = "app_x")</Condition> <Name>VerifKeySetKey</Name> </Step> <Step> <Condition>(developer.app.name = "app_x")</Condition> <Name>OAuth-v20-1</Name> </Step
Just thinking out loud , you can set a flag in app's custom attribute if control is not an issue for you to check whether OAuth token validation is required or not.
Disadvantage - VerifyAPIKey policy is going to be executed in both cases.
Advantage - You will not hard code app name in your condition and can create multiple apps of both category without modifying proxy in any way.
<Step> <Name>VerifyAPIKey</Name> </Step> <Step> <Name>SharedFlow-VerifyAccessToken</Name> <Condition>(verifyapikey.VerifyAPIKey.isOAuthValidationRequired = true)</Condition> </Step>
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |