Want to do both OAuth security in apigee and normal API validation using proxy API provided by apigee

Hi all,

Want to do both OAuth security validation and API validation(which i have done in my code using JWT token).

  • I can able to do OAuth security validation for public access service.
  • Now I am trying to do both OAuth validation and API validation(done using JWT), In this case I want to send two token (access token and JWT token) while hitting apigee. Need help to implement this.

Can i able to set access token in different key/in body so that i can set my JWT token in header authorization key. And it won't affect my normal JWT validation.

0 2 230
2 REPLIES 2

dubeyrahul
Participant I

Hi,

By default OAuth V2 policy expect access token to be present in Authorization HTTP request header.

You can change this behavior by setting the correct location of your access token in <AccessToken> element of the OAuth policy configuration xml. Something like below.

<OAuthV2 async="false"
         continueOnError="false" enabled="true" name="VerifyAccessToken">
  <DisplayName>VerifyAccessToken</DisplayName>
  <AccessToken>request.queryparam.access_token</AccessToken>
  <Operation>VerifyAccessToken</Operation>
  <Tokens/> 
</OAuthV2>

Yes.

And the similar thing is possible with the VerifyJWT policy. There is the Source element, which allows you to specify an alternate place to look for the inbound JWT.

<VerifyJWT name='verify-01'>
  <Algorithm>RS256</Algorithm>
  <Source>request.header.MyToken</Source>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PublicKey>
    <Value ref='public_key'/>
  </PublicKey>
</VerifyJWT>

If you pass the JWT in the Authorization header, the Bearer prefix is optional - the VerifyJWT will work with or without the prefix. If you pass the JWT in any other header, there must be no prefix at all; the value of the header should be just the JWT itself.