I am currently using my free subscription and trying to get the access token via the client credential flow.
For this I am using the pre-packaged oauth API that comes along with free subscription.
Here is my set up
As per my understanding it should fail to generate the access token, but it provides an access token. What am I missing here?
Solved! Go to Solution.
Hi @chinmayarath,
> When you create an API product, specifying access to 'helloNode' in 'test' environment - you are restricting access to ONLY 'helloNode'.
> In your configuration, you have not specified any access restrictions for the oauth API
So, the behavior what you are seeing is valid.
what really happens in your case is,
> oauth provider [which is your oauth API] distributes accesstoken to valid consumers [client_id]
> the accesstoken inherit all the access rules configured in the API Product - so what this means is
you could use the accesstoken to call 'helloNode' api in 'test'
but you CANNOT use accesstoken to call 'helloNode' api in 'prod'
makes sense?
If you want to achieve what you described in your question, what you can do is
> add 'oauth api' also to your product, along with 'helloNode'
> In your 'oauth api' add a VerifyAPIKey policy, before Generating Access Token
Now the difference, is you are protecting/restricting access to oauth api as well, [earlier it was not enforced, but now it will be enforced]
The concept of API product is very powerful, you can read about it here, http://apigee.com/docs/developer-services/content/what-api-product
It provides a way for your to provision your APIs to your consumer and also govern, who has access to what and who gets access to what.
Hope this helps!
Hi @chinmayarath,
> When you create an API product, specifying access to 'helloNode' in 'test' environment - you are restricting access to ONLY 'helloNode'.
> In your configuration, you have not specified any access restrictions for the oauth API
So, the behavior what you are seeing is valid.
what really happens in your case is,
> oauth provider [which is your oauth API] distributes accesstoken to valid consumers [client_id]
> the accesstoken inherit all the access rules configured in the API Product - so what this means is
you could use the accesstoken to call 'helloNode' api in 'test'
but you CANNOT use accesstoken to call 'helloNode' api in 'prod'
makes sense?
If you want to achieve what you described in your question, what you can do is
> add 'oauth api' also to your product, along with 'helloNode'
> In your 'oauth api' add a VerifyAPIKey policy, before Generating Access Token
Now the difference, is you are protecting/restricting access to oauth api as well, [earlier it was not enforced, but now it will be enforced]
The concept of API product is very powerful, you can read about it here, http://apigee.com/docs/developer-services/content/what-api-product
It provides a way for your to provision your APIs to your consumer and also govern, who has access to what and who gets access to what.
Hope this helps!
User | Count |
---|---|
7 | |
2 | |
2 | |
1 | |
1 |