Hi,

We have a use-case where in we have a backend that would be exposed to external clients through apigee. For application level authentication for a given app we intend to use API key, there are multiple users inside each app. Each user gets an exclusive session id from the backend when he logs in. The session management is done by the backend. We intend to use this session id to implement quotas for a given user.The approach we are looking into for implementing this is as follows

1. When a user tries to use the login endpoint we would do the following

a. Do an APIKEY authentication for application level access, if authenticated pass on the request to backend

b. The backend responds back with a session id, which we want to extract at apigee and associate it with the app using the key value map, where in an app is represented by a key and the values are all the session id's active at a given time

2. When a user tries to use the logout endpoint we would do the following

a. Do an APIKEY authentication for application level access, if authenticated pass on the request to backend

b. The backend invalidates the session and hence session id becomes invalid. APIGEE removes the session id value from its KVM

3. When a user tries to use any other endpoint (apart from login and logout) which points to the same backend

a. Do an APIKEY authentication for application level access

b. If authenticated implement quotas against the session id present in incoming request, which already has an entry in KVM from step 1 (this would help us prevent abuse)

c. If quota limit has not been reached pass on the request to the backend

The above steps would involve dynamic updates on KVM, how do we dynamically update/delete the set of values associated with a given key in the proxy flow. Is this doable? Is there a better solution?

Thanks,

Vednath