Hi Everyone, I’m Darshan Hiranandani, I need to figure out how an API producer, hosted on AWS, can securely authenticate an Apigee token coming from consumers. What are the best practices or methods for securely validating the token in this scenario?
Looking forward to your suggestions!
Thanks!
Regards
Darshan Hiranandani
I don’t think you want to do that.
When you use the phrase “Apigee token”, I am inferring a token created by Apigee for use by Apigee. That’s the model. Apigee tokens aren’t “made” or designed to be validatable by external systems.
You COULD define a /tokeninfo endpoint in Apigee , which an external system could call with a token, to find out what Apigee thinks about the token. But that’s sort of a roundabout way of doing things, it introduces latency, and it’s not something I would suggest as a “Recommended” approach. It will work though.
A better approach, If you want third parties to validate tokens, is to use a federated token approach, for example, using a JWT. Apigee can issue JWT (use the GenerateJWT policy), and those JWT can be verified and validated by any third party, including a system that happens to run in/on AWS. You just need to publish the verification keys. But I would just call that a JWT, not “an Apigee token”.
The model of an external system validating a token is a common one. This approach - use a JWT with a public/private key pair - is not special to Apigee + AWS. It’s the general approach for the situation you describe: system 1 generates a token, and system 2 verifies it.