Expose Products under Developer App in Authorization Service

I have an Authorization Service that uses OauthV2 to validate Basic Auth credentials sent by the client and return an access_token.

I'm suppressing the Apigee generated response and using my response to be used for a successful response and bad response. Main reason for doing this is to make error responses consistent with backend hence I'm handling the responsibility of generating a good response and bad response from the flow variables.

One flow variable that I couldn't see is the list of API Products that the Developer App has access to. I would like to access this to add it as a JSON element in the Auth response.

How can I do that?

0 3 243
3 REPLIES 3

Assuming you're verifying an API key in your flow at some point, the apiproducts element of verifyapikey.{policy_name}.app is probably what you want. You can find details here: https://docs.apigee.com/api-platform/reference/policies/verify-api-key-policy#flowvariables-appflowv...

It's an Auth service so it comes with Basic Auth credentials, there is no "API Key" here. Does the Verify API key policy still work here?

My understanding is that your external Authorization service manages the user credentials, but that external service does not manage the app -to- product mapping. Apigee manages that mapping, but the mapping information is not shared with the external auth service.

One thing you could do is interpose Apigee between the client and the ext auth service during the token grant flow. Like this:

The client invokes Apigee with user credentials (probably password grant). Apigee passes through the basic auth credentials to the external auth service. Upon successful response with an oauth2 token, Apigee mints its own token with OAuthV2/GenerateAccessToken , which then generates the response that contains the API Product list. Apigee sends that payload to the requesting client. Apigee can simply discard the original OAuth token from the external auth service.

OK That takes care of token issuance. For subsequent calls, the client presents the token in the request to Apigee, and the Apigee proxy just invokes OAuthV2/VerifyAccessToken to check that the token is valid for the proxy.