Restrict API Product by path
I seem to be unable to restrict my API Products to portions of my proxy, using paths + proxy. My use case is very similar to this article, with the slight difference that I have a defined base path, rather than using a wildcard. I've generalized details somewhat, but below is the basic form of my proxy.
- /resource1
- /resource2
- /resource3
Each endpoint is defined separately, in the same proxy (rather than in a single default ProxyEndpoint XML file). The first 2 endpoints support creation of objects with a POST on their basepath and payload in the request body, retrieval of objects with a GET /{id} operation, and some operations on a given object, with the form POST /{id}/operation. The third resource has several sub-resources, each of which support CRUD operations.
My proxy uses a Shared Flow to validate the OAauth2 token, among other things. This verification occurs in the first step of each endpoint's Preflow.
I have defined an API product that includes this proxy by name, and also specifically defined /resource1 as the resource path. After creating a developer, a developer app, and then assigning the API product to this developer app (and double-checking that it is approved), any POST /resource1 responds with the error "Invalid API call as no apiproduct match found."
I tried several variations on this, including separately defining each subpath for /resource1
- /resource1
- /resource1/*
- /resource1/*/*
I also tried only defining the product using paths, and no proxy. Because my proxy's basepath is /v1/, I tried both
- /v1/resource1
- /v1/resource2
- /v1/resource3
and
- /resource1
- /resource2
- /resource3
However all of these configurations result in the same error for me. In fact, the only way I am able to allow access to /resource1 for an API Product is by allowing access to all resources for the proxy, using path /.
Does anyone have any advice that they could offer, to help resolve this issue? Am I missing something very basic? Should I move my OAuth token verification out of the shared flow, and why would that matter, if I should?
Thanks!
Best Answer
Answer by Dino-at-Google
·
Oct 15, 2018 at 05:01 PM
Hi, I'm sorry you're having troubles.
I think the resource paths for the API Product... are evaluated based on proxy path suffix.
Let's assume an API proxy, with a single endpoint that listens on /endpoint1 basepath.
Now assume the API proxy has conditional flows that match on the path+verb pair, like this:
GET /r1
GET /r2
Here's what to expect:
| API Product resources | GET /r1 result | GET /r2 result |
| -none- | token is valid | token is valid |
| / | invalid access token; no apiproduct match found |
invalid access token |
| /** | token is valid | token is valid |
| /r1 | token is valid | invalid access token |
| /r2 | invalid access token |
token is valid |
| /r1 /r2 |
token is valid | token is valid |
I think maybe you are including the ProxyEndpoint basepath into the resource path for the API Product.
This isn't correct. You need to exclude that.
Let me know if this helps.
Thanks for the reply, Dino. That was very helpful. In my case I've defined 3 proxy endpoints for the same proxy, and it doesn't seem like it's possible to restrict access to only the first 2, based on what you have explained above: I'll need to move the last proxy endpoint to another proxy.
Thanks!
I guess you could restrict access to the first two proxy endpoints, if they have unique resource paths - the part that falls AFTER the basepath. but separating out the proxyendpoints would also work.
