Need to create a api product containing subset of resources implemented in different proxies with different basepath

mgarg
Participant I

Hi @Dino, @Dino-at-Google, @davissean

As per our use case we want to create api product containing subset of resources implemented in different proxies with different basepath.

For example - Let say we have following proxies

a) Identity Proxy(3 operation/resources)

b) Payment Proxy (6 operation/resources)

c) Account Proxy( 10 operation/resources)

We want to restrict resources of account proxy and expose only 4 resources of the proxy in the product.

When we tried to add the all proxies and limited paths for the account proxy in API product create screen, accounts proxy paths got appended to the base path of all the proxies.

Please find the attached screen shot.

1 3 120
3 REPLIES 3

Your observation is correct.

It sounds like what you want is to use a single API Product to expose a subset of multiple proxies.

There's no pointy-clicky way to do that. The paths you provide apply to ANY proxy attached to the product.

You could of course build the enforcement you describe. It wouldn't take too much effort, but it would need an additional policy.

For example you could attach a custom attribute, maybe named "allowedpaths", to the API Product which was a hash of proxy and paths, like this:

{
  "proxy1" : [ "/accounts/*", "/accounts/*/transfers" ],
  "proxy2" : [ "/devices/*", "/devices/*/ids" ],
  ...
}

As you know, any custom attribute that is attached to an API Product is loaded into context automatically by successful execution of VerifyAccessToken or VerifyApiKey. After verifying credentials, you would want the proxy flow to execute a 2nd policy, probably in JS, which looks up the proxy name in that hash, and compare the current pathsuffix to the set of patterns listed for that pathsuffix. And only allow the call if the path matches.

var p = context.getVariable('apiproxy.name');
var allowedpaths = JSON.parse(context.getVariable('apiproduct.allowedpaths');
var path = context.getVariable('proxy.pathsuffix');
if (!allowedpaths[p]) {
  // sanity check
  throw new Error("invalid product configuration");
}
var allowed = allowedpaths[p].find(isMatch(p));

if (!allowed) {
  throw new Error("path is not authorized");
}

(You'd need to supply the isMatch function, comparing the pathsuffix to the patterns, using some glob logic)

Hi Dino

It was possible with old classic UI. I could use same product to 1) add proxy a and b) add resource GET of proxy b

and it was working

I understand what you're saying . In fact, while the old UI visually suggested that the paths you were adding were related to a particular proxy, that's not what was actually happening.

The behavior and semantics I described above has been consistent for a long time. The backend (Admin API) is still the same. The model is still the same.

In my opinion the old UI was incorrect in the way it was laid out, and it encouraged people to have the wrong idea. We've now changed the UI to render an experience that more closely reflects what's actually happening. We fixed the glitch!