This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Connect Accesstoken from third party identity provider to App or Product

Posted on 11-23-2018 07:22 AM
rbaltus
New Member
Reply posted on --/--/---- --:-- AM

We got a jwt accesstoken for a user from a 3rd party Identity provider, and now I would like to select a App or Product based on information within the payload of the jwt token. Now we are using the VerifyApiKey policy to "switch" to a certain app.

Is there a policy that allows us to "switch" to a specific App or Product? (By name for example)

Solved Solved
1 4 221
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

ok, you have a 3rd party identity provider.

What is contained in the JWT? What identity is there, what claims?

Normally IdP's issue JWT that contain USER identity. That is useful within a certain scope of problem, but it doesn't fit the need for APPLICATION identity which is required for applying the API Product concept in Apigee Edge.

API Products in Apigee Edge are mapped to apps, and specifically CREDENTIALS on those apps.

It's not helpful if the Apigee Edge proxy receives a JWT asserting the user identity. Apigee Edge cannot map that to a product.

But, If the JWT you receive from the third party also has an APP IDENTIFIER, then you could treat that as an API Key (consumer key) and just call VerifyApiKey on it, and that would get you the Product mapping you describe.

Does this make sense?

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

ok, you have a 3rd party identity provider.

What is contained in the JWT? What identity is there, what claims?

Normally IdP's issue JWT that contain USER identity. That is useful within a certain scope of problem, but it doesn't fit the need for APPLICATION identity which is required for applying the API Product concept in Apigee Edge.

API Products in Apigee Edge are mapped to apps, and specifically CREDENTIALS on those apps.

It's not helpful if the Apigee Edge proxy receives a JWT asserting the user identity. Apigee Edge cannot map that to a product.

But, If the JWT you receive from the third party also has an APP IDENTIFIER, then you could treat that as an API Key (consumer key) and just call VerifyApiKey on it, and that would get you the Product mapping you describe.

Does this make sense?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
rbaltus
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks for the suggestion, I already thought about adding the verifyapikey policy in this proxy, but I was hoping for an alternative solution.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to rbaltus
Reply posted on --/--/---- --:-- AM

What's the downside of using VerifyApiKey ? Why would you want to avoid that?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
rbaltus
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

It seems more resource intensive, since the Product is already known by the proxy.

Jump to Solution
0 Likes