Tuesday, 15 July 2014

apigee - Differences in validating APIKeys with GetOAuthV1Info and VerifyAPIKey -



apigee - Differences in validating APIKeys with GetOAuthV1Info and VerifyAPIKey -

we in process of totally rewriting our main api proxy config , discovered issue our new configuration (or maybe our existing one) relating how api keys beingness validated. our current api uses policy getoauthv1info

<?xml version="1.0" encoding="utf-8" standalone="yes"?> <getoauthv1info enabled="true" continueonerror="false" async="false" name="apikey-validate"> <displayname>apikey-validate</displayname> <faultrules/> <properties/> <appkey ref="request.queryparam.apikey"></appkey> </getoauthv1info>

our new configuration uses policy verifyapikey

<?xml version="1.0" encoding="utf-8" standalone="yes"?> <verifyapikey async="false" continueonerror="false" enabled="true" name="verify-api-key"> <displayname>verify api key</displayname> <apikey ref="request.queryparam.apikey"/> </verifyapikey>

on surface both of these policies appear work fine. however, after deploying new config our test environment api keys failing 401 unauthorized error. digging keys discovered assigned product doesn't have access test environment. appears getoauthv1info step not validating environment..? documentation getoauthv1info doesn't help doesn't talk apikeys @ (http://apigee.com/docs/api-services/content/authorize-requests-using-oauth-10a).

fixing particular issue pretty straight forwards in need allow other products access test environment. however, makes me wonder other differences between these 2 policies? i'm nervous deploying changes these api proxies because don't know else break, or other unforeseen issues appear.

is known limitation getoauthv1info policy? why work @ all? other differences between these 2 policies might bite me later?

the difference i'm aware of variable names assigned differently in verifyapikey policy (it appends policy type , name vairalbes verifyapikey.verify_apikey-1.apiproduct.developer.quota.limit example).

both verifyapikey , oauth 1 back upwards restrictions environment -- when tested getoauthv1 apikey in invalid environment , got error:

oauth failure : invalid api phone call no apiproduct match found

keep in mind convention projects seems either oauth2 flows or verifyapi there less info oauth1 policies.

apigee

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)