Solved: Revoke access token for an user id : impact analys... - Page 2

edu4krishanu · 01-02-2018 12:25 PM

My requirement is to expose an api will invalidate all the access token associated with a user id. This requires management api call. As management api runs on management servers I am wondering if i need to set up any quota on this. I am also hesitant to expose such api as if allow the api consumer to call this api too many times, there will some impact on the management servers. Can you please put your thoughts on this?

DChiesa

The API Runtime for Apigee Edge is designed to auto-scale and it will support 1000's or 10's of thousands of requests per second, or more. This means you can build your own custom API proxies and the Apigee Edge runtime will enforce the rules you specify.

The Apigee Edge Management API is not designed to support 1000's or 10's of thousands of requests per second. It is designed to be highly available, but not at that scale of concurrent requests.

It is generally a bad idea to create an API Proxy in the Apigee Edge runtime that depends on an Apigee Edge Management API. However, in some exceptional cases, it may be warranted. Yours may be one of them.

understand that an API Proxy that calls an Apigee Edge Management API involves an additional security impact.
Understand that you must obtain and manage credentials for the Management API in the API Proxy.
Understand that you will need to take special care about rate limiting and abusive behavior. For example you may wish to rate-limit it to 2/month for each user.

You didn't say how often you expect this API to be called, but if it is expect that your apps will call it relatively rarely, then perhaps it's ok to have this dependency.

View solution in original post

Revoke access token for an user id : impact analysis of management server's performance