Why access token is getting generated in "prod", even though app has no products for "prod" environment?

Not applicable

I am currently using my free subscription and trying to get the access token via the client credential flow.

For this I am using the pre-packaged oauth API that comes along with free subscription.

Here is my set up

  • The oauth API is deployed in both test and prod environment
  • I have created one more API "helloNode" and deployed only to "test" environment
  • For this API I have created a product call "helloNode Product" which is enabled only for "test" environment.
  • I have created an App to use this "helloNode Product"
  • Now, I am using the app client id and secret to make an access token call to oauth API with "prod" environment URL

As per my understanding it should fail to generate the access token, but it provides an access token. What am I missing here?

Solved Solved
1 1 235
1 ACCEPTED SOLUTION

Hi @chinmayarath,

> When you create an API product, specifying access to 'helloNode' in 'test' environment - you are restricting access to ONLY 'helloNode'.

> In your configuration, you have not specified any access restrictions for the oauth API

So, the behavior what you are seeing is valid.

what really happens in your case is,

> oauth provider [which is your oauth API] distributes accesstoken to valid consumers [client_id]

> the accesstoken inherit all the access rules configured in the API Product - so what this means is

you could use the accesstoken to call 'helloNode' api in 'test'

but you CANNOT use accesstoken to call 'helloNode' api in 'prod'

makes sense?

If you want to achieve what you described in your question, what you can do is

> add 'oauth api' also to your product, along with 'helloNode'

> In your 'oauth api' add a VerifyAPIKey policy, before Generating Access Token

Now the difference, is you are protecting/restricting access to oauth api as well, [earlier it was not enforced, but now it will be enforced]

The concept of API product is very powerful, you can read about it here, http://apigee.com/docs/developer-services/content/what-api-product

It provides a way for your to provision your APIs to your consumer and also govern, who has access to what and who gets access to what.

Hope this helps!

View solution in original post

1 REPLY 1

Hi @chinmayarath,

> When you create an API product, specifying access to 'helloNode' in 'test' environment - you are restricting access to ONLY 'helloNode'.

> In your configuration, you have not specified any access restrictions for the oauth API

So, the behavior what you are seeing is valid.

what really happens in your case is,

> oauth provider [which is your oauth API] distributes accesstoken to valid consumers [client_id]

> the accesstoken inherit all the access rules configured in the API Product - so what this means is

you could use the accesstoken to call 'helloNode' api in 'test'

but you CANNOT use accesstoken to call 'helloNode' api in 'prod'

makes sense?

If you want to achieve what you described in your question, what you can do is

> add 'oauth api' also to your product, along with 'helloNode'

> In your 'oauth api' add a VerifyAPIKey policy, before Generating Access Token

Now the difference, is you are protecting/restricting access to oauth api as well, [earlier it was not enforced, but now it will be enforced]

The concept of API product is very powerful, you can read about it here, http://apigee.com/docs/developer-services/content/what-api-product

It provides a way for your to provision your APIs to your consumer and also govern, who has access to what and who gets access to what.

Hope this helps!