App wise authentication and quota restriction,Validation from external application in Apigee app

akshay
Participant I

I have one proxy API, one product, one developer and multiple apps. Apps are like - Customer1, Customer2, and so on.

I am allocating the customer's consumer key to them, so their API call can be authenticated [via verifyAPI key].


1) I want that I send a serial number as a parameter with API, and this serial number shall also be authenticated by Apigee.
[serial number is software serial number from where API call is being made]


So Customer1/App1 has Serial number1
and Customer2/App2 has serial number2


These shall be mentioned in App in apigee and shall be verified.
Please share a solution for this.

2) secondly, is there a possibility to restrict API calls quota on apps? So customers using same proxy API and product shall be restricted by quotas.

Solved Solved
0 5 188
1 ACCEPTED SOLUTION

hi Akshay.

Let's see if I can be of assistance.

Item 1.

First, What is the distinction between the API Key and the serial number? Suppose I run a private tea shop. I sell memberships, and a member needs to present their member id, to ask for tea. Why would I also ask the member for.... another number, a serial number? This seems to me, to be what you are proposing. What is the point of the other number, the serial number? It seems to be treated exactly the same as an API Key. There is a 1:1 mapping between API key and serial number. Effectively the serial number adds nothing. So... why have it? What problem are you trying to solve by "verifying" that serial number?

If I understand the purpose of this serial #, maybe I can propose a useful solution.

Item 2.

Yes, you can rate limit based on the app. For this, you can use the API key as the Quota Identifier.

<Quota name="QuotaPolicy" type="flexi">
  <Identifier ref="request.header.apikey"/>
  <Interval>1</Interval>
  <TimeUnit>hour</TimeUnit>
  <Allow count="1000"/>
</Quota>

View solution in original post

5 REPLIES 5

hi Akshay.

Let's see if I can be of assistance.

Item 1.

First, What is the distinction between the API Key and the serial number? Suppose I run a private tea shop. I sell memberships, and a member needs to present their member id, to ask for tea. Why would I also ask the member for.... another number, a serial number? This seems to me, to be what you are proposing. What is the point of the other number, the serial number? It seems to be treated exactly the same as an API Key. There is a 1:1 mapping between API key and serial number. Effectively the serial number adds nothing. So... why have it? What problem are you trying to solve by "verifying" that serial number?

If I understand the purpose of this serial #, maybe I can propose a useful solution.

Item 2.

Yes, you can rate limit based on the app. For this, you can use the API key as the Quota Identifier.

<Quota name="QuotaPolicy" type="flexi">
  <Identifier ref="request.header.apikey"/>
  <Interval>1</Interval>
  <TimeUnit>hour</TimeUnit>
  <Allow count="1000"/>
</Quota>

Hello Dino,

I really liked your videos on youtube!

Thanks for Item2, I will try doing it.

For Item 1 -

We want to allow a specific user from serial number XYZ to access particular API Key. So we want to link both.
If we will share API key with one user of serial XYZ, he can share it with another user [having serial number xyz1]. Now when the application of another user makes API call, we will not be able to restrict this.
So we want to send this serial number from the software application as a parameter, validate it in Apigee with its allocated API key and then let it go thru. (or some other way)

Note: Software application is an installable exe application from where we trigger API's. The only unique parameter in this application is its serial/license number. We will have to share apigee API key with the user, which he will input in his application.

Ahh, I see. The serial number is generated.... in some other way. Not by Apigee Edge, but externally.

There is a way to "import" externally-generated values into Apigee Edge as API Keys.

POST :mgmtserver/v1/o/:org/developers/:developer/apps/:appname/keys/create 
Authorization: :edge-auth
Content-type: application/json
{
  "consumerKey" : "Unique-Serial-Number-Goes-Here",
  "consumerSecret" : "secretGoesHere-ItCanBeQuiteLong-NeedNotBeUnique"
}

That way, you could have the .exe just send its serial number to the APIs. Then the VerifyApiKey will verify the serial number, as an API key. This may not be ideal, because if the API key has to be revoked for some reason, the customer will need to get a new copy of the app.

Another way to accomplish what you want is... to keep the PAI key and the serial number distinct, as they are today. Then, attach the serial number as a custom attribute to the app.

7805-store-the-serial-number.png

The VerifyApiKey verifies the API key, and implicitly loads into memory all of the values of the custom attribute on the app. Then you can include a second check in your flow, like this:

 <Step>
  <Name>VerifyApiKey-1</Name>
 </Step>
 <Step>
  <Name>RaiseFault-InvalidSerialNumber</Name>
  <Condition>SerialNumber != request.header.serial</Condition>
 </Step>

The Condition would have to compare the value of the custom attribute, and the inbound serial number (the header used to pass it).

Then if the customer gets a new App in Apigee Edge, you would have to re-register that serial number in the new app. If the customer installs a new .exe (gets a new serial #), then you would have to update the serial number in the App.

I showed the UI for adding / modifying Custom attributes on apps, but you can do this with the Admin API too, so this could all be automated. See here.

Thank you so much for solving my problem in 2 ways :)

I a very basic and new user, so, i have a very small question -

Where do i put above codes in my account?

a)

<Quotaname="QuotaPolicy" type="flexi">
  <Identifierref="request.header.apikey"/>
  <Interval>1</Interval>
  <TimeUnit>hour</TimeUnit>
  <Allowcount="1000"/>
</Quota>

b)

POST :mgmtserver/v1/o/:org/developers/:developer/apps/:appname/keys/create
Authorization: :edge-auth
Content-type: application/json
{
  "consumerKey" : "Unique-Serial-Number-Goes-Here",
  "consumerSecret" : "secretGoesHere-ItCanBeQuiteLong-NeedNotBeUnique"
}

c)

 <Step>
  <Name>VerifyApiKey-1</Name>
 </Step>
 <Step>
  <Name>RaiseFault-InvalidSerialNumber</Name>
  <Condition>SerialNumber != request.header.serial</Condition>
 </Step>