stackoom
  简体   繁体   中英

What is the use of “Allowed OAuth scopes” in the API Product configuration on Apigee?

 原文  2014-08-14 21:15:16       apigee

Question

In order to grant access to an APIs to an Application, you need to define an "API product" and then the "App" can be associated to those API products, granting access. When defining an "API product", there is a configuration parameter called: "Allowed OAuth Scopes", but Is not clear in the Apigee documentation how this parameter is used or what is the use case? When applying a VerifyToken OAuth policy to an API proxy, it seems to ignore this parameter. For example:

  1. An App requests an access_token with scope: "foo" at an OAuth token endpoint in Apigee
  2. an API product has configured with Allowed Oauth scopes: "bar" in the same Apigee org.
  3. App has been granted access to API product in the Apigee UI console
  4. then the App tries to access the API using the access_token
  5. The API verifies the access_token using a OAuth VerifyToken policy.
  6. Regardless of the scope mismatch, the VerifyToken policy will succeed. ( scope is ignored)

so, what is the use case?

1 answers

solution1
 1 ACCPTED  2014-08-15 04:02:33

Allowed OAuth scopes is used to determine the list of scopes that will be allowed for the product. This does not keep the token from being created or verified successfully.

For example, say the Allowed OAuth scopes for the API product are gold, silver, and bronze. Assume the app has been granted access to that product. When the app requests the access token with the scopes silver and tin, an access token will be created with the scope silver, since tin is not an allowed scope.

Similarly, if the request is for tin and copper, the access token will still be created, but with no scope, since neither tin nor copper are allowed scopes. The app needs to be written to pay attention to scope (or lack thereof). There is no automatic rejection or limiting of access done by Apigee based upon a token's scope(s).

In a normal use case, an access token with no scope would either be rejected manually using proxy policies, or would be granted a default level of access. This would be a business decision based upon how you wanted your scopes to be used.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Apigee OAuth with REST authentication API Confusion- What is the Difference between Apigee Api Gateway & Apigee Api Proxy? how to use gateway? How to use API gateway as target endpoint in APIGEE Requiring an API call to use HTTPS with Apigee What is the unique ID for API Products in the Apigee Edge server API? Apigee Console To Go Fails with 401 Apigee Platform Proxy Configured to use Oauth 2.0 What is the maximum file size for assets stored in Apigee API BaaS? API to authenticate credentials in apigee Use of IOIntensive in Apigee JavaCallouts How to use Moment.js with Apigee API proxy?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM