Header Enrichment or Injection

Not applicable

Hi All, i need support for understanding how to design an API Proxy bundle flow that implements a header enrichment on the request that will be sent to the API of back end.

Basically after an LDAP user credentials check, i need to manipulate the flow request in order to add a header which contains a value retrieved from the LDAP response.

Solved Solved
1 9 1,646
1 ACCEPTED SOLUTION

@Cosimo You can use AssignMessage policy to enrich your request before sending it to your backend.

For example the below policy will add a custom header to the outgoing request to backend.

<AssignMessage name="assignMessage-4">
  <AssignTo createNew="false" type="request"></AssignTo>
  <Add>
    <Headers>
      <Header name="custom-header">{custom-header-value}</Header>
    </Headers>
  </Add>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
</AssignMessage>

With this policy you could modify both request or response messages (adding/editing/removing headers, query param or even the payload elements).

You could also implement the similar functionality in JS if you like coding. Hope it helps!

View solution in original post

9 REPLIES 9

@Cosimo You can use AssignMessage policy to enrich your request before sending it to your backend.

For example the below policy will add a custom header to the outgoing request to backend.

<AssignMessage name="assignMessage-4">
  <AssignTo createNew="false" type="request"></AssignTo>
  <Add>
    <Headers>
      <Header name="custom-header">{custom-header-value}</Header>
    </Headers>
  </Add>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
</AssignMessage>

With this policy you could modify both request or response messages (adding/editing/removing headers, query param or even the payload elements).

You could also implement the similar functionality in JS if you like coding. Hope it helps!

Hi @sudheendra1, thank you for your feedback. Please let me show you my use case :

- the APIProxy is invoked using an access token

- the APIProxy - the APIProxy retrieves the user credentials by using the accesstoken - the APIProxy invokes LDAP by using the credentials retrieved at previous step

- the LDAP returns back to the APIProxy the JWT token that contains a list of variables

- Apigee should be configurable in order to select a subset of the variables retrieved at the previous and selectwhat of these variables should be sent to the API of back end

Any suggestion?

Thanks

Cosimo

Ok, I assume all the steps up to obtaining a JWT token are implemented. Once you receive the JWT token, you need to decode it. You could build a node.js proxy (there are node modules available) or use an external provider to decode the token. The token is decoded, you will get access to the payload. Based on the format of your payload, use the Extract variable policy to retrieve desired parameters out of payload. Then with assign message policy, set the custom headers and call your backend.

You can decode the JWT using JS or Java callouts - no direct need for JWT. Here is a Java callout that does it.

Hi all , @dino, @sudheendra1,thank you for your answer. Do you have any idea how to implement these two steps? I mean:

- the APIProxy retrieves the user credentials by using the accesstoken

- the APIProxy invokes LDAP by using the credentials retrieved at previous step

- the LDAP returns back to the APIProxy the JWT token that contains a list of variables

Thank you

Cosimo

yes:

- original request passes in the bearer token in the Authorization header

- the proxy uses the OAuthV2 policy (VerifyAccessToken operation) to verify the access token. This implicitly retrieves custom attributes that have been set on the access token, including possibly user credentials

- if you have an On-premises Apigee Edge, there is an LDAP policy that you can use to verify credentials against your LDAP. If you do not have on-premises Edge, then you need to expose your LDAP in some way as a callable web service, and then use ServiceCallout from within the Edge proxy to invoke the LDAP authentication endpoint.

- The JWT gets returned by your LDAP. You can then use the Java callout I cited earlier to decode or verify the JWT.

----

Having said all this, I don't think it's a great idea to store user credentials as a custom attribute in the access token. A better idea might be :

- have the app directly authenticate against your LDAP. I suppose this might be Azure Active Directory. IF so, Azure AD has a lovely REST interface for authentication that the app can use directly. The app then has a JWT signed by Azure. So far no Apigee involvement.

- the app sends the signed JWT to A custom-designed API Proxy in Edge. Edge verifies the JWT and the signature using Azure's certificate. The Edge proxy then generates a new OAuth token and inserts claims from the JWT into the token. The Edge proxy returns the small opaque OAuth token to the app. The bearer token has the same lifetime/expiry as the original JWT.

- on subsequent calls to Edge, the app passes the opaque oauth token to the Edge proxy. When Edge verifies it, Edge obtains all the JWT claims, and can make authorization decisions based on those claims.

- When the opaque token expires, Apigee returns an appropriate message to the app. The app then knows to contact Azure AD to get a new JWT. The app could be using OpenID Connect to do this, which means he has a refresh token and can ask for the refreshed token from Azure in that way.

----

This seems like a cleaner approach than storing user credentials in the token inside Apigee Edge.

Best of luck!

Hi @sudhendra1

do you have any idea how retrieve the user credentials by using the token received in input into the API Proxy?

Thanks

Cosimo

It really depends on your preference. I would pick a simple node.js proxy to do this. There are a bunch of node.js modules available which you could use. For example - https://www.npmjs.com/package/jwt-simple

Create a node.js proxy in Edge using this library and call it from your other proxy. The response from node.js decoder proxy would be the payload with credentials. Once you have the JSON payload, extract the credentials and construct your final request message. hope this helps!

How can we use custom header value as below

Custom Header Value:

<Cred ><Username>abc@test.com </Username><Password>test</Password><Key>testkey </Key></Cred>