This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to call Apigee management API | Hybrid

Posted on 01-21-2022 04:50 AM
dpatty
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi ,

Could anyone please share any good documentation with authentication steps to call Apigee Hybrid management API . 

I have a a service account key . Looking for following .

Create JWT - with example 

Create OAuth token using JWT - with example

Pass OAuth token to edge API 

 

Best Regards,

Patty

Solved Solved
0 3 2,621
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

1- Can we pass the JWT it self as bearer token or we have to call oauth2 token endpoint to get access token

No, the self-signed JWT is not a bearer token. Maybe this is a helpful way to think about it: the JWT is an alternative to "client credentials" in an OAuth grant. You send the JWT to the oauth token dispensing endpoint (this is described in RFC 7523), instead of "normal" (RFC 6749) client credentials, which is just a Basic Auth header encoding the consumer ID and Secret. What you get back from Google's oauth endpoint, is an opaque access token. You need to use the opaque access token as a bearer token when sending in requests to the API endpoint apigee.googleapis.com .

For more information on using self-signed JWT to get access tokens, please see this older discussion.

2 - What should be the scope while generating JWT . we need admin role for operation activity . 

The scope should be https://www.googleapis.com/auth/cloud-platform . Then rely on the ROLES attached to the service account do restrict access. A role might be Apigee Organization Admin (roles/apigee.admin) . or some more restricted role, like Apigee API Admin (roles/apigee.apiAdminV2) or Apigee API Reader (roles/apigee.apiReaderV2). Or some custom role that you define. Find the list of "built in" Apigee roles and their associated permissions here: https://cloud.google.com/iam/docs/understanding-roles#apigee-roles

BTW, to find that "cloud-platform" scope value, I just looked in the discovery document for the Apigee API.  There really is just one scope for Apigee.  For some APIs, there are different scopes supported, for restricting the token to be usable for narrower operations than the roles on the account allow. But Apigee doesn't use scopes for that purpose.  

Any reference API (Library) to generate JWT and get access token?

The documentation for the Apigee APIs says

To call this service, we recommend that you use the Google-provided client libraries.

If that's not suitable, then, you can google around for other options.  (Example1 for bash)  What language are you using? Here's an example for Java.

View solution in original post

Jump to Solution
3 REPLIES 3
Top Solution Authors
View all