Apigee Architeture design Issue

maulikhdave
Participant II

Hello All,

i m really confused with below condition.

I have My own Back End System with its own authentication mechanisms.

     
User Authentication MyBackEnd
     

so if anyone wants to use my any service they must

authenticated by my backend.

now i have created some product and i want to explore it.

but i don't want my allow my consumer of product to be registered with my back end.

then what should be the best approach.

Also, My apigee product consumer also has so many clients who will access my product through my consumer.

looking for the best approach.

0 5 646
5 REPLIES 5

robert
Participant V

@maulik dave -- what type of authentication is used on your backend?

we are using token authentication

ok. so you want edge to be client of your backend but the clients should not be a client of your backend? also, what kind of token? Is that backend using oauth client credentials?

yes some kind of auth
so your understanding is correct i have my own back end system which wok on normal token.

now i want to explore some api by apigee product

and that apigee product will have so many consumers.

and each consumer has lots of clients.

so i cant take cost of creating new client in my back end.

Hope it makes sense

yes, it makes sense. Ok, here are some steps for you:

Edge>Backend

  1. Create a proxy on Edge and configure it so that it points to your backend.
  2. Secure your proxy with an oauth policy
  3. Create a product on Edge and add the proxy created earlier to it.
  4. Inside your proxy you need to send the token to your backend. I recommend creating the JWT from edge and sending it to your backend. Your backend can validate it. If your backend requires oauth opaque token, you can use a service callout to call a backend oauth endpoint to obtain a token. Cache the backend token on edge so you can reuse until it expires.
  5. You will also need to create a seperate oauth proxy to create the tokens for your Edge clients. Your org currently has one created but you will need to deploy it so you can use it for testing. Recommend making it more robust after testing.

Client>Edge

  1. For each client, create an app and get the credentials. Note: it's not recommended to share credentials between different client apps.
  2. Call your oauth proxy to get a token. Then call your business proxy and pass the oauth token.

These are high level steps but hopefully it all makes sense?