This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Can I use external OAuth and still access developer & app aware analytics for monetization?

Posted on 07-24-2017 02:21 AM
Not applicable
Reply posted on --/--/---- --:-- AM

We have bunch of APIs protected by Keycloak (OAuth2/OpenID Connect server) that ultimately we'd like to expose to developers and eventually monetize. Our Keycloak installation is fairly heavily customized and so we'd like to continue using that for developer and end-user authentication / management.

Is it possible for developers to register the apps as clients from our Keycloak installation (rather than Apigee OAuth infrastructure) and then use Apigee proxies so that we can collect analytics and potentially use the monetization features, including developer and app aware metrics/enforcement.

The docs show a couple of ways of integrating third party OAuth but with so many ways of using OAuth it's not clear whether the scenario we have would be supported. Additionally the Apigee setup is clearly very flexible but as a consequence of that it's difficult to be sure that any proof of concept has been setup correctly or debug where things are misconfigured!

Any help to confirm/deny this is possible and maybe help me get a POC going would be much appreciated. I believe @Floyd Jones had some thoughts...

0 2 749
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
sidd-harth
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi @Rob Oxspring, this doc provide the info of integrating external OAuth.

In short,

  1. You need to make a service callout to an external OAuth.
  2. When you verify that you got back a valid token.
  3. Generate a token (or auth code) in the Edge system that will use the third-party token value in place of the one that would have been generated by Edge.
  4. This way, you can make authenticated API proxy calls to Edge using the third-party token as if it were a token generated by the Edge OAuth2 authentication service itself.

I came across a sample PoC sometime back, but not sure if it is still working.

If you want to leverage developer and app aware metrics/enforcement etc., we need to use the client_id(Apigee) while making calls to API Proxy.

I hope this helps.

0 Likes

Posted on --/--/---- --:-- AM
jonesfloyd
Staff
Reply posted on --/--/---- --:-- AM

Thanks for posting here, @Rob Oxspring. Following is my original answer with a couple of clarifications:

  • This is one I don't suspect you're interested, because it wouldn't let you use monetization.
    You could of course use Apigee as a passthrough layer. Clients would call Edge proxies at first, but the message--and token--would pass right through and get auth'd by Keycloak. That would give you basic traffic and throughput/latency analytics in Apigee. You could also take advantage of policies such as generic traffic throttling, caching, XML/JSON/regex threat protection, IP whitelisting/blacklisting, message transformation, reusable groupings of policies (Shared Flows), message logging, scripting, etc.

    The drawback is that you'd lose out on developer- and app-specific metrics and targeted traffic control (like quota enforcement), because Apigee needs to know about the developers and apps (by being registered in Edge). Edge doesn't currently support pointing to an external LDAP for registered developers.

  • Edge also lets you validate externally generated tokens (described in this topic). However, this requires developers and apps be registered in Edge for the OAuth token validation to work.
    The basic flow is:
    1. Call comes in with Keycloak token.
    2. Edge makes a callout to Keycloak with the token.
    3. Keycloak checks the token and responds with, "Cool! I know this guy."
    4. Edge wraps the Keycloak token in its own token and does its own OAuth validation.

  • But if you eventually want monetization, you'll need your developers also registered in Edge. That's where things could get tricky, though not impossible. The flow might go something like this:
    1. Existing users would need to register with Edge. However, I don't think this would be too much of a hassle for them, since the portal they register with would contain your API docs, and if you're rolling out monetization, they'd expect some kind of sign-up process anyway. In this situation, you could wrap Keycloak tokens and have developers also pass in an Edge API key which would fully identify them to monetization.

      or
    1. New developer registers in your Edge portal.
    2. Your API team gets a notification, and you have a script that adds the developer to Keycloak as well.
    3. When a developer updates her profile on either end, figure out a way to trigger jobs to make the updates in the other user store with the management API.

But I'm hoping somebody can double-check me on the feasibility of #3.