Re: which token to use apigee token or backend tok...

devmego99 · 05-17-2022 03:22 PM

I want to apply ropc grant type in apigee and use token from backend as external token to oauth2 policy ,but i do not know how generated token from apigee will work with backend

I have login api that take email and password and response is token

curl --request POST "https://www.sit.com:9006/api/v4/auth/login" ^

--header "Content-Type: application/json" ^

--data-raw " {\"email\":\"test@nbg\",\"password\":\"Pass1209!\"}"
response

{

"status": "OK",

"errors": [],

"messages": null,

"data": {

"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE2NTI4MjUzMDgsIm5iZiI6MTY1MjgyNTMwOCwiZXhwIjoxNjg0MzgyOTA4LCJqdGkiOjEwOTl9.fYvefAAvwJ0W304k7-62QEECy0V_MKdxpPzr46Zd9KkTlNZnw8dtvrG8Bqxuz5p2UPKUixf6zcOfjBjU38120cHb0oGdYhaHPqXuFEqvIyisi-qaoN9YeWqwxil8ZT8NGjLHK8fAssreavNzv_NlqvcKGL49twDr8INxs2TyblxLi01FqV3YoS3dMy1bkAWtpBwj_Ga1IQoiDOeMV7-vjqM5gwVsy32zIZSLWX_tQVCiwkAQAIXV7koi0MHjZj0ySdvG7y6NzxsKTFrxcW6pMP5n_xW4vOTwixye3AenFYx0icHD80IKZqnNzNXwYOQTCQ6L0XKwAUjz8TIwe-SHLl2A8fEXQh8M4VcNV0hG_hO8rUB9f695gZvAf9RdW0RvItZxH7fR2eFLwhAVOfjBAnLmOwwoxjXJ10VLYA0Z_WsE8apvofxNcCg9j342PnKwwTcPGAM99kfH12n7jPPhKNAm8KhxXvbHlOpUOc2PYwKm96dDkAB0tGF-__wJCzseMNa6-IfLxPAgJx3YQwchmbw-fAp51NaoGI1zwFJHBt9GoPGFbzb3Y0CqUoZmfxBWC-7hBOA3pCkFuOf7QXnoowMSSrqLYocJyUNTDhdNhsIMjoOfYbL_SRqeEuHWru-bYHXczFnO8wH-yv2tXboe-TG1tKBA6vX1y3tQL2jKIqg"

}

I want to manage this api by apigee and apply security for it
i have to scenario
1- first to use serviceCallOut and call this api direct and return the token.
2- second to apply oauth2 policy with ropc grant type (return opaque token) and also make service callout to request login api and return the token then cache the opaque token as a key and token return from backend as a value
then return the generated access token from oauth as opaque token
@dchiesa1 please i want to know the best solution and if there another solution ,please mention it

dchiesa1

i have two scenarios
1- first to use serviceCallOut and call this api direct and return the token.

ok. No problem. The ServiceCallout equivalent of your curl command is

<ServiceCallout continueOnError='true' name='SC-Login'>
  <Request variable='outboundRequest'>
    <Set>
      <Payload contentType='application/json'>{
    "email":"test@nbg",
    "password": "Secret123"
}</Payload>
      <Verb>POST</Verb>
    </Set>
  </Request>
  <Response>loginResponse</Response>
  <HTTPTargetConnection>
    <SSLInfo>
      <Enabled>true</Enabled>
      <IgnoreValidationErrors>true</IgnoreValidationErrors>
    </SSLInfo>
    <Properties>
      <Property name='success.codes'>2xx, 4xx, 5xx</Property>
    </Properties>
    <URL>https://www.sit.com:9006/api/v4/auth/login</URL>
  </HTTPTargetConnection>
</ServiceCallout>

The result of that call will be placed in a variable of Message type, named loginResponse . The JSON content will be in loginResponse.content. You can use an ExtractVariables policy to extract the token, if you want to grab it or store it.

2- second to apply oauth2 policy with ropc grant type (return opaque token) and also make service callout to request login api and return the token then cache the opaque token as a key and token return from backend as a value then return the generated access token from oauth as opaque token

OK. I don't understand any of that. I can read the words but they're not making sense to me. I'm not sure what you want. But if you want to cache things, use the cche policy. If you want an opaque OAuth token, use the OAuthV2 policy with Operation = GenerateAccessToken. I think you somehow want to combine these things, but I tried a couple times and I can't understand your goal. Sorry about that.

which token to use apigee token or backend token?