Solved: how to call api without access token

rohanjangid · 02-16-2021 08:35 AM

i want like we generate access token using client_credentials and pass this access token to api's authorization but i don't want to pass again and again access token?

Report Inappropriate Content

If you are securing one api, then you need to send the access token to get validated before the request reaches the resource server.

One thing I would specify is client credentials grant type is used for very trusted applications. So, in that case you can store the access token in the app until it expires and the same will be produced by the app for subsequent requests.

View solution in original post

Report Inappropriate Content

If you are securing one api, then you need to send the access token to get validated before the request reaches the resource server.

One thing I would specify is client credentials grant type is used for very trusted applications. So, in that case you can store the access token in the app until it expires and the same will be produced by the app for subsequent requests.

dchiesa1

OAuth specifies that an access token must be passed with each request. "Again and again".

That's the way OAuth tokens work.

rohanjangid

please have a look

rohanjangid

@Priyadarshi Ajitav Jena @Dino-at-Google i am agreed both of answered but my requirement is little bit different like once we generate an access token using client credentials grant type (In post verb) something like this

after this i want when client hit on my api like this

so in header i am passing authorization = Bearer {Access Token} but i don't want this I want my client got response without authorization i asked somebody they said you can do this using Extract variable and Assign message policy. Please help me i am very new in Apigee Thanks,

Report Inappropriate Content

Will contact you sometime in mail

rohanjangid

thanks a lot sir

rohanjangid

sir i haven't recevied any mail

dchiesa1

i don't want this. I want my client got response without authorization

Yes, well, If you don't want to require authorization, then don't configure your apiproxy to require it. Do not include a policy like VerifyAccessToken in your proxy. That's pretty simple, isn't it ?

I feel the need to comment further. Generating a token and sending it back to the client, only to later ... not use the token.... seems nonsensical to me. What is the point of dispensing a token to the client if the client won't subsequently use it? How will you then distinguish between authorized calls and anonymous calls if the client doesn't send a token?

i asked somebody they said you can do this using Extract variable and Assign message policy.

Hmm. I don't see how those policies have anything to do with your stated goal. If you want to allow the client to send in a request that has no authorization, then ... do that. Simply omit the VerifyAccessToken step. You don't need ExtractVariables or AssignMessage.

Be aware that exposing an API proxy that does not have a VerifyAccessToken policy (or VerifyAPIKey, etc) means that any client can call it. It's wide open. That should be obvious, but I'm telling you because you seem to be a little off-track with your ideas about ExtractVariables and so on.