Is it possible to limit the amount of access tokens an app can generate?

Google Cloud Apigee
1

Like the title, I would like to know if it is possible to limit the amount of access tokens an app can generate?

1 Like
2

Yes, it is possible.

One way to do this is to enforce a quota on the token-issuance endpoint. For the identifier of the Quota policy , use the client id. (Or even just the base64 blob containing client id and secret)

Let’s look at a working flow in Apigee Edge that can be used to generate access tokens for client_credentials (the simplest case):

<Flow name='OAuth2.0 token dispenser'>
  <Description>dispense tokens for OAuth2.0, for Client credentials</Description>
  <!--
      An example request is like this:

      curl -i -X POST -H 'content-type: application/x-www-form-urlencoded' \
        -u ${client_id}:${client_secret} \
        'https://ORG-ENV.apigee.net/v1/oauth2-pwd-cc/token'\
        -d 'grant_type=client_credentials'

      The resulting token will have an expiry. 

  -->
  <Request>
    <Step>
      <!-- basic validation of the inbound request. Is it well formed? -->
      <Name>RF-InvalidGrantType</Name>
      <Condition>(request.formparam.grant_type != "client_credentials"</Condition>
    </Step>
    <Step>
      <!-- this policy returns a payload immediately -->
      <Name>OAuthV2-GenerateAccessToken-CC</Name>
    </Step>
  </Request>

  <Response/>

  <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "POST")</Condition>
</Flow>

If you want to restrict the issuance of new tokens, you can insert a Quota policy just before the OAuthV2-GenerateAccessToken .

It might be configured like this:

<Quota name="Quota-1" type="calendar">
    <Allow count="10"/>
    <Interval>1</Interval>
    <TimeUnit>minute</TimeUnit>
    <Identifier ref="request.header.authorization"/>
    <Distributed>true</Distributed>
    <Synchronous>false</Synchronous>
</Quota>

And the flow would look like:

<Flow name='OAuth2.0 token dispenser'>
  <Description>dispense tokens for OAuth2.0, for Client credentials</Description>
  <Request>
    <Step>
      <Name>RF-InvalidGrantType</Name>
      <Condition>(request.formparam.grant_type != "client_credentials"</Condition>
    </Step>
    <Step>
       <Name>Quota-1</Name>
    </Step>
    <Step>
      <!-- this policy returns a payload immediately -->
      <Name>OAuthV2-GenerateAccessToken-CC</Name>
    </Step>
  </Request>

  <Response/>

  <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.verb = "POST")</Condition>
</Flow>

If this is not clear, let me know and I can explain in further detail.

2 Likes