This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Restrict API Product by path

Posted on 10-15-2018 05:50 AM
jbradley
New Member
Reply posted on --/--/---- --:-- AM

I seem to be unable to restrict my API Products to portions of my proxy, using paths + proxy. My use case is very similar to this article, with the slight difference that I have a defined base path, rather than using a wildcard. I've generalized details somewhat, but below is the basic form of my proxy.

  • /resource1
  • /resource2
  • /resource3

Each endpoint is defined separately, in the same proxy (rather than in a single default ProxyEndpoint XML file). The first 2 endpoints support creation of objects with a POST on their basepath and payload in the request body, retrieval of objects with a GET /{id} operation, and some operations on a given object, with the form POST /{id}/operation. The third resource has several sub-resources, each of which support CRUD operations.

My proxy uses a Shared Flow to validate the OAauth2 token, among other things. This verification occurs in the first step of each endpoint's Preflow.

I have defined an API product that includes this proxy by name, and also specifically defined /resource1 as the resource path. After creating a developer, a developer app, and then assigning the API product to this developer app (and double-checking that it is approved), any POST /resource1 responds with the error "Invalid API call as no apiproduct match found."

I tried several variations on this, including separately defining each subpath for /resource1

  • /resource1
  • /resource1/*
  • /resource1/*/*

I also tried only defining the product using paths, and no proxy. Because my proxy's basepath is /v1/, I tried both

  • /v1/resource1
  • /v1/resource2
  • /v1/resource3

and

  • /resource1
  • /resource2
  • /resource3

However all of these configurations result in the same error for me. In fact, the only way I am able to allow access to /resource1 for an API Product is by allowing access to all resources for the proxy, using path /.

Does anyone have any advice that they could offer, to help resolve this issue? Am I missing something very basic? Should I move my OAuth token verification out of the shared flow, and why would that matter, if I should?

Thanks!

Solved Solved
0 3 1,262
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Hi, I'm sorry you're having troubles.

I think the resource paths for the API Product... are evaluated based on proxy path suffix.

Let's assume an API proxy, with a single endpoint that listens on /endpoint1 basepath.

Now assume the API proxy has conditional flows that match on the path+verb pair, like this:

GET /r1

GET /r2

Here's what to expect:

API Product resources GET /r1 result GET /r2 result
-none- token is valid token is valid
/ invalid access token;
no apiproduct match found 		invalid access token
/** token is valid token is valid
/r1 token is valid invalid access token
/r2

invalid access token

 token is valid
/r1
/r2 		token is valid token is valid

I think maybe you are including the ProxyEndpoint basepath into the resource path for the API Product.

This isn't correct. You need to exclude that.

Let me know if this helps.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Hi, I'm sorry you're having troubles.

I think the resource paths for the API Product... are evaluated based on proxy path suffix.

Let's assume an API proxy, with a single endpoint that listens on /endpoint1 basepath.

Now assume the API proxy has conditional flows that match on the path+verb pair, like this:

GET /r1

GET /r2

Here's what to expect:

API Product resources GET /r1 result GET /r2 result
-none- token is valid token is valid
/ invalid access token;
no apiproduct match found 		invalid access token
/** token is valid token is valid
/r1 token is valid invalid access token
/r2

invalid access token

 token is valid
/r1
/r2 		token is valid token is valid

I think maybe you are including the ProxyEndpoint basepath into the resource path for the API Product.

This isn't correct. You need to exclude that.

Let me know if this helps.

Jump to Solution

Posted on --/--/---- --:-- AM
jbradley
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks for the reply, Dino. That was very helpful. In my case I've defined 3 proxy endpoints for the same proxy, and it doesn't seem like it's possible to restrict access to only the first 2, based on what you have explained above: I'll need to move the last proxy endpoint to another proxy.

Thanks!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to jbradley
Reply posted on --/--/---- --:-- AM

I guess you could restrict access to the first two proxy endpoints, if they have unique resource paths - the part that falls AFTER the basepath. but separating out the proxyendpoints would also work.

Jump to Solution
0 Likes