{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • API Design /
avatar image
0
Question by Joseph Bradley · Oct 15, 2018 at 12:50 PM · 525 Views api productaccess control

Restrict API Product by path

I seem to be unable to restrict my API Products to portions of my proxy, using paths + proxy. My use case is very similar to this article, with the slight difference that I have a defined base path, rather than using a wildcard. I've generalized details somewhat, but below is the basic form of my proxy.

  • /resource1
  • /resource2
  • /resource3

Each endpoint is defined separately, in the same proxy (rather than in a single default ProxyEndpoint XML file). The first 2 endpoints support creation of objects with a POST on their basepath and payload in the request body, retrieval of objects with a GET /{id} operation, and some operations on a given object, with the form POST /{id}/operation. The third resource has several sub-resources, each of which support CRUD operations.

My proxy uses a Shared Flow to validate the OAauth2 token, among other things. This verification occurs in the first step of each endpoint's Preflow.

I have defined an API product that includes this proxy by name, and also specifically defined /resource1 as the resource path. After creating a developer, a developer app, and then assigning the API product to this developer app (and double-checking that it is approved), any POST /resource1 responds with the error "Invalid API call as no apiproduct match found."

I tried several variations on this, including separately defining each subpath for /resource1

  • /resource1
  • /resource1/*
  • /resource1/*/*

I also tried only defining the product using paths, and no proxy. Because my proxy's basepath is /v1/, I tried both

  • /v1/resource1
  • /v1/resource2
  • /v1/resource3

and

  • /resource1
  • /resource2
  • /resource3

However all of these configurations result in the same error for me. In fact, the only way I am able to allow access to /resource1 for an API Product is by allowing access to all resources for the proxy, using path /.

Does anyone have any advice that they could offer, to help resolve this issue? Am I missing something very basic? Should I move my OAuth token verification out of the shared flow, and why would that matter, if I should?

Thanks!

Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

1 Answer

  • Sort: 
avatar image
1
Best Answer

Answer by Dino-at-Google   · Oct 15, 2018 at 05:01 PM

Hi, I'm sorry you're having troubles.

I think the resource paths for the API Product... are evaluated based on proxy path suffix.

Let's assume an API proxy, with a single endpoint that listens on /endpoint1 basepath.

Now assume the API proxy has conditional flows that match on the path+verb pair, like this:

GET /r1

GET /r2

Here's what to expect:

API Product resources GET /r1 result GET /r2 result
-none- token is valid token is valid
/ invalid access token;
no apiproduct match found
invalid access token
/** token is valid token is valid
/r1 token is valid invalid access token
/r2

invalid access token

token is valid
/r1
/r2
token is valid token is valid

I think maybe you are including the ProxyEndpoint basepath into the resource path for the API Product.

This isn't correct. You need to exclude that.

Let me know if this helps.

Comment
Add comment Show 2 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Joseph Bradley · Oct 15, 2018 at 09:17 PM 0
Link

Thanks for the reply, Dino. That was very helpful. In my case I've defined 3 proxy endpoints for the same proxy, and it doesn't seem like it's possible to restrict access to only the first 2, based on what you have explained above: I'll need to move the last proxy endpoint to another proxy.

Thanks!

avatar image Dino-at-Google ♦♦ Joseph Bradley   · Oct 15, 2018 at 09:28 PM 0
Link

I guess you could restrict access to the first two proxy endpoints, if they have unique resource paths - the part that falls AFTER the basepath. but separating out the proxyendpoints would also work.

Follow this Question

Answers Answers and Comments

56 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

API Productization Best Practices 0 Answers

Product Configuration: Resource Path vs. API Proxies 2 Answers

How to build product around Single page APP APIs vs Native App APIs 1 Answer

Define subscription plan with different quota 1 Answer

API products from resource centered proxies - not possible? 1 Answer

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Badges