This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Ability to restrict access In API Product based on HTTP verb

Posted on 10-25-2019 03:22 AM
martinsvensson
New Member
Reply posted on --/--/---- --:-- AM

Lets sat that I have a nicely designed Restful API Proxy with two flows in it, using the same path:

  • Get Product GET /products/*
  • Update Product PUT /products/*

Then that I want to allow one App (Admin App) to be able to call both these flows but so I create an API product for that App allowing that.

Then I want to allow another app (Read Only App) just be able to call the “Get Product” flow. So then I create another API Product for that second App But I don’t seem to be restrict the access in the way that I want. The Paths configuration in the API Product does not take the http verb into account. Nor does it take Flow Name into account.

Is it possible to use accomplish the above with API Keys policy and API products and still have a nice restful design of my API?

1 1 1,131
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

If you are using OAuth you would do this with scopes as per https://docs.apigee.com/api-platform/security/oauth/working-scopes.html

If you are using API Keys only, then you could follow that same pattern by using a custom attribute on the API product (e.g. scope). Then in your proxy you would verify the "scope" variable for each endpoint, analogous to how it's done with OAuth.