This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How can I have multiple callback URLs in an App?

Posted on 07-10-2019 08:20 PM
joshuacarino
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

> So I know that Apigee doesn't support multiple callback URLs.

> And that If I do want to do it, I have to set a Javascript Policy.

as said here https://docs.apigee.com/api-platform/security/oauth/advanced-oauth-20-topics

But doing it in a Javascript policy means that if I ever I want my APIs to be used by others like banks and they have their own redirect URIs. It means that I have to manually edit my Javascript policy in order to cater for this new callback URLs for every App. Right?, or is it not?. Cuz I was thinking it would happen like that.

So to avert changing the Javascript policy for every App, is it possible to have the allowed callback URLs in the custom attribute on the App on/after registration and just loop through it to validate whether if the redirect_uri passed by the client is a valid redirect_uri for that client?.

It's just that yes, I could have multiple redirect_uris when asking for a token but apigee won't automatically validate if its valid redirect_uri for that client anymore. But I still want the validation in APIGEE that determines if the callback url for that App/Client is valid or not. So is possible to do it throught the Apps custom attributes instead?.

Solved Solved
0 4 2,547
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
joshuacarino
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Found it.

What I did to achieve this that I deleted the value in the Callback URL field in the App and then created a custom attribute in my App namely callback1 and callback2 with the proper redirect_uris I want to use.

Then created an Access Entity Policy that would retrieve this custom attributes I created stored in the App

I then created two Extract Variable Policys that would retrieve the value of any of my callback1 or callback2 uris.

Then I created two other Assign Message Policies that would use the two extracted variables to the proper proxy endpoint I'm using.

Afterwhich they will be automatically appended to the request I created that doesn't have a redirect_uri

Required:

For this to work much like having it in the Apps Callback URL field. You will have to create a condition in your Proxy that would check whether if the redirect_uris passed in the request of the client is the same with the redirect_uris/callback URLs stored in the custom attribute of your application.

Pros of doing this: (theoritically for now as I havent fully done the dynamically changing URIs per App. but this works on a single App)
Every App can have its unique callback URLs. So if you have multiple developers or organizations wanting to use your API with their own redirect URLs. This will automatically be checked on that single endpoint alright so long as they declared the proper custom attributes on their app.

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
joshuacarino
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Found it.

What I did to achieve this that I deleted the value in the Callback URL field in the App and then created a custom attribute in my App namely callback1 and callback2 with the proper redirect_uris I want to use.

Then created an Access Entity Policy that would retrieve this custom attributes I created stored in the App

I then created two Extract Variable Policys that would retrieve the value of any of my callback1 or callback2 uris.

Then I created two other Assign Message Policies that would use the two extracted variables to the proper proxy endpoint I'm using.

Afterwhich they will be automatically appended to the request I created that doesn't have a redirect_uri

Required:

For this to work much like having it in the Apps Callback URL field. You will have to create a condition in your Proxy that would check whether if the redirect_uris passed in the request of the client is the same with the redirect_uris/callback URLs stored in the custom attribute of your application.

Pros of doing this: (theoritically for now as I havent fully done the dynamically changing URIs per App. but this works on a single App)
Every App can have its unique callback URLs. So if you have multiple developers or organizations wanting to use your API with their own redirect URLs. This will automatically be checked on that single endpoint alright so long as they declared the proper custom attributes on their app.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
joshuacarino
Silver 1
Silver 1
In response to joshuacarino
Reply posted on --/--/---- --:-- AM

Also, can someone please check if I did this right?. Because for now it's doing what I want it to do which is great. Or I might have caused something with this steps I did to have multiple callback/redirect_uri in our App and this shouldnt be done?.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
itravindrasingh
New Member
In response to joshuacarino
Reply posted on --/--/---- --:-- AM
Here are my feedback on your approach -

Overall you did it correctly. few more things you can consider from optimisation perspective.


  1. Use only one extract variable policy to get the callback URLs value from access entity policy.
  2. Use put condition in the assign message policy so only one URL gets prepared, if you put 2 URLs the first one will take place and will take you out of control. e.g 302 redirect
  3. Create a sharedflow (Access entity + Extract variable + Assign Message) for preparing callback URLs in the request
Jump to Solution

Posted on --/--/---- --:-- AM
itravindrasingh
New Member
Reply posted on --/--/---- --:-- AM

No, you should not manage the callback URLs using javascript. Instead you can have multiple callback url fields in the app creation page so the developers can add multiple. On Edge save them as a custom attributes.

Jump to Solution