Apigee Edge and Apigee API BaaS both provide support for implementing authorization to protect your backend resources. When you're using API BaaS as a backend data store for an Edge application, you might wonder where the heavy lifting for authorization should occur.
This article describes one way to combine authorization features in both products so that they work together in a complementary way. You can use OAuth2 scopes in Edge to reduce unauthorized traffic to the backend, then use specific verb/endpoint access control to prevent unauthorized access to individual resources.
Note: This article is one in a series that uses the StreetCarts sample application to illustrate implementing authentication and authorization where Apigee Edge and Apigee API BaaS are combined in a single application. The series includes Authentication and authorization with Apigee Edge and API BaaS, Registering and authenticating new users with Edge and API BaaS, and Updating API BaaS permissions at runtime. By @Floyd Jones, @Steve Traut, @wwitman.
By setting up OAuth2 scopes to filter out categories of requests that a user wouldn't possible be permitted to do, you can reduce traffic to the backend.
When using OAuth2 scopes, you can:
In StreetCarts, for example, OAuth2 scopes define the ability to edit food carts generally, but don't prohibit access to a particular food cart. Each OAuth2 scope value defines a category that pairs a user type with an allowed action. For example, a user attempting to delete a food cart must have the owner.delete
scope value in order for their request to reach API BaaS.
(See the "Authorizing for each verb/resource pair using API BaaS permissions" section below for info on defining access to specific verb/resource combinations.)
As described in "Registering and authenticating new users with Edge and API BaaS", you set scope values for a user when authenticating, inserting them in the OAuth2 token generated by the OAuth2 policy. You do this by putting the scope value in the <Scope>
element when generating the token.
Here's how StreetCarts verifies scope values when authorizing at runtime:
DELETE /foodcarts/:cartID
. <Scope>
element.
API BaaS user groups, roles, and permissions provide a way to set up specific access for any verb/resource pair defined in the data store. If your backend data store is API BaaS, you can use those features to set up fine-grained access control.
By using API BaaS security, you can:
In general, here's how to set up API BaaS to authorize requests for specific verb/resource pairs:
With API BaaS permissions configured, here's how StreetCarts authorizes requests for protected verb/resource pairs:
DELETE /foodcarts/:cartID
. <Scope>
element. For example, if a user making a request to delete a food cart carries the owner.delete
scope, their request must also be authorized for the specific food cart they want to delete. Imagine they want to delete the cart whose ID is 9e82599a-bf80-11e5-87ec-29bc7103e627. For their request to succeed, their user account must be associated with a role that allows the following:
DELETE /foodcarts/9e82599a-bf80-11e5-87ec-29bc7103e627