Solved: Verify Access Token Endpoint

olgunkaya · 12-29-2022 10:23 PM

Hi all,

I would like to implement a proxy endpoint that only does access token verification. I mean I do not want to get my request routed to target following VerifyAccessToken policy. How can I do that ?

For example;

GenerateAccessToken, if you set <GenerateResponse enabled="true"/> it returns the response.

but when it comes to VerifyAccessToken policy, above tag does not seems to be generating the success response, instead it just passes the request to next.

dchiesa1

Hi

Yes, in Apigee, policies and targets are independent. You can include a OAuthV2/VerifyAccessToken policy, independent of whether there is a target to your proxy. And conversely, you can configure one or more targets, regardless whether you include a OAuthV2/VerifyAccessToken policy.

I would like to implement a proxy endpoint that only does access token verification. I mean I do not want to get my request routed to target following VerifyAccessToken policy. How can I do that ?

No problem. Include a VerifyAccessToken, then ... an empty RouteRule (= no target), and then you can use AssignMessage attached in th response flow to assign a static response.

I have a "noroute" proxy endpoint with AssignMessage policy following VerifyAccessToken to modify and return a more sophisticated response instead of grant_types.. Is this a good impl

I guess so? If that's what you want to do. An API Proxy that simply verifies an access token, has limited value. You may wish to expose that kind of capability to your apps, to allow them to inquire the status of a token explicitly. And a loopback or "no route" proxy can do that for you. It might return the metadata associated to the token - its expiry, the associated client id, and maybe other stuff like custom attributes. Think of it as the /tokeninfo endpoint. Consider whether you really need a tokeninfo endpoint, though. Sometimes it's enough for each proxy that calls VerifyAccessToken, and the token is expired, to just return 401 with a "token is expired" message, and then the calling app can refresh its token. It may not need all the other token information.

does Apigee have a best practice for this ?

I don't know how to answer this question, because I don't know what "this" is. What is your goal?

In general, keep it as simple as you can. The tokeninfo endpoint might be interesting and valuable when you are building and developing. I don't know if it will be valuable after you've published your APIs. Maybe you will be a better judge of that.

View solution in original post

olgunkaya

I have a "noroute" proxy endpoint with AssignMessage policy following VerifyAccessToken to modify and return a more sophisticated response instead of grant_types.. Is this a good impl does Apigee have a best practice for this ?

dchiesa1

Hi

Yes, in Apigee, policies and targets are independent. You can include a OAuthV2/VerifyAccessToken policy, independent of whether there is a target to your proxy. And conversely, you can configure one or more targets, regardless whether you include a OAuthV2/VerifyAccessToken policy.

I would like to implement a proxy endpoint that only does access token verification. I mean I do not want to get my request routed to target following VerifyAccessToken policy. How can I do that ?

No problem. Include a VerifyAccessToken, then ... an empty RouteRule (= no target), and then you can use AssignMessage attached in th response flow to assign a static response.

I have a "noroute" proxy endpoint with AssignMessage policy following VerifyAccessToken to modify and return a more sophisticated response instead of grant_types.. Is this a good impl

I guess so? If that's what you want to do. An API Proxy that simply verifies an access token, has limited value. You may wish to expose that kind of capability to your apps, to allow them to inquire the status of a token explicitly. And a loopback or "no route" proxy can do that for you. It might return the metadata associated to the token - its expiry, the associated client id, and maybe other stuff like custom attributes. Think of it as the /tokeninfo endpoint. Consider whether you really need a tokeninfo endpoint, though. Sometimes it's enough for each proxy that calls VerifyAccessToken, and the token is expired, to just return 401 with a "token is expired" message, and then the calling app can refresh its token. It may not need all the other token information.

does Apigee have a best practice for this ?

I don't know how to answer this question, because I don't know what "this" is. What is your goal?

In general, keep it as simple as you can. The tokeninfo endpoint might be interesting and valuable when you are building and developing. I don't know if it will be valuable after you've published your APIs. Maybe you will be a better judge of that.