Solved: How to use service callout policy to fetch an acce...

Report Inappropriate Content · 08-23-2018 01:28 AM

This is a followup question to my previous question: https://community.apigee.com/questions/60323/apigee-cant-verify-my-external-access-token.html

@Siddharth Barahalikar answer suggest to use service callout in both solutions. But why is a service callout used? Why do I need to make a call to an endpoint of my STS? Shouldn't I add a policy in apigee that just fetches the token from the header?

sidd-harth

Hi Ben, a Service Callout (SC) policy is used to call to another service(external & internal) from your API proxy flow.

In Scenario 1 - Apigee doesnt know how to validate the token because it did not mint it & it doesnt know the client_id & client_secret etc., So we can validate the token in the header by calling STS from Apigee, for which we can use SC policy.

<ServiceCallout async="false" continueOnError="false" enabled="true" name="SC-Calling -STS">
    <DisplayName>SC-Calling -STS</DisplayName>
    <Request>
        <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
        
        <Set>
            <Headers>
		<Header name="Authorization">request.header.Authorization</Header>
	    </Headers>
            <Verb>POST</Verb> <!-- any HTTP verb -->
        </Set>
    </Request>
    <Response>calloutResponse</Response>
    <Timeout>60000</Timeout>
    <HTTPTargetConnection>
        <URL>http://sts.com/validate/x/y/z</URL>
    </HTTPTargetConnection>
</ServiceCallout>

Now SC will make a call to STS with the token. STS will validate the token and give some response like 401 or 200 status code and some respective response. So after SC policy we use an Extract Variable policy to extract the response and use them as Conditions(for Raise Fault policy) to either raise an error or proceed calling the backend service.

View solution in original post

sidd-harth

Hi Ben, a Service Callout (SC) policy is used to call to another service(external & internal) from your API proxy flow.

In Scenario 1 - Apigee doesnt know how to validate the token because it did not mint it & it doesnt know the client_id & client_secret etc., So we can validate the token in the header by calling STS from Apigee, for which we can use SC policy.

<ServiceCallout async="false" continueOnError="false" enabled="true" name="SC-Calling -STS">
    <DisplayName>SC-Calling -STS</DisplayName>
    <Request>
        <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
        
        <Set>
            <Headers>
		<Header name="Authorization">request.header.Authorization</Header>
	    </Headers>
            <Verb>POST</Verb> <!-- any HTTP verb -->
        </Set>
    </Request>
    <Response>calloutResponse</Response>
    <Timeout>60000</Timeout>
    <HTTPTargetConnection>
        <URL>http://sts.com/validate/x/y/z</URL>
    </HTTPTargetConnection>
</ServiceCallout>

Now SC will make a call to STS with the token. STS will validate the token and give some response like 401 or 200 status code and some respective response. So after SC policy we use an Extract Variable policy to extract the response and use them as Conditions(for Raise Fault policy) to either raise an error or proceed calling the backend service.

Report Inappropriate Content

If basic auth is needed for the validate endpoint, do I've to add an assign message policy?

sidd-harth

In Basic Auth, we can use an Basic Authentication policy to encode username & password as base64 string. Please answer a few questions for recommendations,

How do you pass credentials to validate endpoint?
Do you send username & password as urlencoded-values?
Do you send base64encoded string? Is it sent as header?

Report Inappropriate Content

I will be using this:http://docs.identityserver.io/en/release/endpoints/introspection.html

sidd-harth

As per the doc, you will be sending an Authorization header. So you use the same above SC policy.

After SC you can use an Extract Variable policy to get the status of active elements from the response.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables async="false" continueOnError="false" enabled="true" name="Extract-Variables-1">
    <DisplayName>Extract Variables-1</DisplayName>
    <Properties/>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <JSONPayload>
        <Variable name="activeStatus">
            <JSONPath>$.active</JSONPath>
        </Variable>
    </JSONPayload>
    <Source clearPayload="false">calloutResponse.content</Source>
    <VariablePrefix>apigee</VariablePrefix>
</ExtractVariables>

Use a Condition ,for Raise Fault policy to raise a fault if active = false

<Condition>apigee.activeStatus = 'false'</Condition>

Report Inappropriate Content

Thanks for answer, but you didn't answer my original question. What policy do I need to send a Basic auth with the SC?

sidd-harth

I hope I answered this in previous comment.

If you are sending Basic Auth in the header then you can follow the above SC policy Set header format.

How to use service callout policy to fetch an access_token in the header.