Solved: Restrict access to api's based on api keys

sudhap · 10-08-2018 02:38 AM

Hello All,

I am a new learner to apigee and i am facing an issue with the aspect of the authorization using api keys.

So,basically I launched my developer portal with api's from swagger spec

signed in as a developer and

registered an app to a product, and my url(for dev portal) is like

http:://{orgname}-test. .. apigee.io

so my api's page look as :

when sending a request from trace i.e from edge,when my url is :

htp://{orgname}-test. .. apigee.net

the verify api key policy functionality is visible but when hitting from developer portal the functionality is not working.

Like,though i included verify api key policy in apigee and also authorizations in swagger spec,the authorization is not being performed correctly.

So,i wanted to know:

1)How does the request from developer portal to hit an api reaches edge(based on url criteria)

2)What is the correct mechanism or flow to set the authorization via api key in apigee for restricting developers registered from developer portal.

Thanks

sidd-harth

In dev-portal/OAS your baseURL is still pointing to your original backend( Base URL: ci-cd-dpm-25190561.us-east-1.elb.amazonaws.com/ )

Update your swagger/oas in edge and add your Apigee proxy url as baseURL and update the portal.

portal-aopigee.jpg

View solution in original post

sidd-harth

but when hitting from developer portal the functionality is not working.<br>

Are you seeing any error in DevPortal OAS Response?

What is the correct mechanism or flow to set the authorization via api key in apigee for restricting developers registered from developer portal.<br>

Create a proxy and add API Key policy on the Proxy endpoint Preflow. Any call to this proxy would require a valid API Key in a apikey queryParam(default).

https://docs.apigee.com/api-platform/tutorials/secure-calls-your-api-through-api-key-validation

sudhap

There is no error,but irrespective of me providing the apikey,the response is generated which is not the requirement,

My idea is to hit an api when key is provided and validated, if at all no key is provided,it must throw an error but that is not happening.

sidd-harth

Please follow this doc to secure your API using apikey,

https://docs.apigee.com/api-platform/tutorials/secure-calls-your-api-through-api-key-validation

First try it on Apigee Edge, use Trace session.

sudhap

It is working fine when done in trace session : using edge,

There is an error thrown when apikey is not provided

It worked as expected when api key is provided.

but when hitting the same api from developer portal though the api key is not provided ,the result is being generated.

The url looks like :

https://sudhap-eval-dpmrestservices.apigee.io/#/models/modelsEvent

where i did not specify the api key,

the authorization popup is empty

but yet the response is generated which is not as expected

I need to fix this,any reference. Sorry for the trouble

sidd-harth

In dev-portal/OAS your baseURL is still pointing to your original backend( Base URL: ci-cd-dpm-25190561.us-east-1.elb.amazonaws.com/ )

Update your swagger/oas in edge and add your Apigee proxy url as baseURL and update the portal.

portal-aopigee.jpg