Restrict API Product by path

Google Cloud Apigee
1

I seem to be unable to restrict my API Products to portions of my proxy, using paths + proxy. My use case is very similar to this article, with the slight difference that I have a defined base path, rather than using a wildcard. I’ve generalized details somewhat, but below is the basic form of my proxy.

  • /resource1
  • /resource2
  • /resource3

Each endpoint is defined separately, in the same proxy (rather than in a single default ProxyEndpoint XML file). The first 2 endpoints support creation of objects with a POST on their basepath and payload in the request body, retrieval of objects with a GET /{id} operation, and some operations on a given object, with the form POST /{id}/operation. The third resource has several sub-resources, each of which support CRUD operations.

My proxy uses a Shared Flow to validate the OAauth2 token, among other things. This verification occurs in the first step of each endpoint’s Preflow.

I have defined an API product that includes this proxy by name, and also specifically defined /resource1 as the resource path. After creating a developer, a developer app, and then assigning the API product to this developer app (and double-checking that it is approved), any POST /resource1 responds with the error “Invalid API call as no apiproduct match found.”

I tried several variations on this, including separately defining each subpath for /resource1

  • /resource1
  • /resource1/*
  • /resource1//

I also tried only defining the product using paths, and no proxy. Because my proxy’s basepath is /v1/, I tried both

  • /v1/resource1
  • /v1/resource2
  • /v1/resource3

and

  • /resource1
  • /resource2
  • /resource3

However all of these configurations result in the same error for me. In fact, the only way I am able to allow access to /resource1 for an API Product is by allowing access to all resources for the proxy, using path /.

Does anyone have any advice that they could offer, to help resolve this issue? Am I missing something very basic? Should I move my OAuth token verification out of the shared flow, and why would that matter, if I should?

Thanks!

2

Hi, I’m sorry you’re having troubles.

I think the resource paths for the API Product… are evaluated based on proxy path suffix.

Let’s assume an API proxy, with a single endpoint that listens on /endpoint1 basepath.

Now assume the API proxy has conditional flows that match on the path+verb pair, like this:

GET /r1

GET /r2

Here’s what to expect:

API Product resources GET /r1 result GET /r2 result
-none- token is valid token is valid
/ invalid access token;
no apiproduct match found		 invalid access token
/** token is valid token is valid
/r1 token is valid invalid access token
/r2

invalid access token

 token is valid
/r1
/r2		 token is valid token is valid

I think maybe you are including the ProxyEndpoint basepath into the resource path for the API Product.

This isn’t correct. You need to exclude that.

Let me know if this helps.

1 Like
3

Thanks for the reply, Dino. That was very helpful. In my case I’ve defined 3 proxy endpoints for the same proxy, and it doesn’t seem like it’s possible to restrict access to only the first 2, based on what you have explained above: I’ll need to move the last proxy endpoint to another proxy.

Thanks!

4

I guess you could restrict access to the first two proxy endpoints, if they have unique resource paths - the part that falls AFTER the basepath. but separating out the proxyendpoints would also work.