How to restrict calls to Backend based on Access Token

Hi ,

We came across a scenario where we need to restrict Api calls based on Access Token.

example: if 100 API calls is allowed on Unique Access Token , 101th API call to same Access token should terminate.

Can we Achieve this using Spike Arrest Policy , if Yes, can you help us how we can achieve .

Regards,

Ramakrishna

0 3 165
3 REPLIES 3

vsphanindra
Participant II

@ramakrishna.mangi

you can use the Quota policy to restrict the number of request to an proxy by using "identifier" tag in Quota Policy, identifier being accessToken.

<Identifier ref="identifierKey"/>

You must use these policies, in this order:

  • VerifyAccessToken
  • Quota

The Quota will look like this:

<Quota name="Quota-1" type='flexi'>
  <Identifier ref='access_token' />
  <Distributed>true</Distributed>
  <Synchronous>false</Synchronous>
  <Interval>1</Interval>
  <TimeUnit>hour</TimeUnit>
  <Allow count='100' countRef='variable_containing_count'/>
</Quota>

Some comments:

  • Be thoughtful about enforcing a quota on an access token. If you don't enforce a limit on the number of access tokens you issue, then the client has an easy way around the quota: upon receiving the 429 code that says "quota exceeded" the client can just refresh the token, and effectively reset its quota. Some ways of enforcing a limit on token dispensing include: enforcing proof of work, or applying a client-id based Quota on the /token endpoint.
  • The config shown here specifies a hard limit of 100 requests per 1 hour. There is a way to specify the limit, interval, and timeunit in configuration. Do this in the API Product screen. If you choose to use this, you must modify the configuration to reference the configured limits, like this:

    <Quota name='Quota-1'>
        <Identifier ref='access_token' />
        <Allow countRef='apiproduct.developer.quota.limit' count='100'/>
        <Interval ref='apiproduct.developer.quota.interval'>1</Interval>
        <TimeUnit ref='apiproduct.developer.quota.timeunit'>hour</TimeUnit>
        <Distributed>true</Distributed>
        <Synchronous>false</Synchronous>
    </Quota>