I don't see what I'm missing, but I have my app created, a developer associated with it, as well as a product for the API that's supposed to receive the bearer token, yet I keep getting the same error message: "Invalid API call as no apiproduct match found". I'm using the bundle Dino provided and have little difficulty using the client ID and secret to get the token from the endpoint for acquiring tokens. What am I missing?
I think I could better help you if you posted your question on the Apigee community at goo.gle/apigee-community . The "no apiproduct match found" thing happens if the verb + path that you use in the request, do not match any verb+path configured for any API product configured on the credential (client id + secret). Apigee makes things pretty flexible, which you will appreciate as you get more advanced, but that flexibility makes things a little more complicated than you'd like them to be when just launching your first OAuth2-protected API. As one example of that flexibility - the client id + secret is a single credential on an app. You can have multiple credentials! And, you can map a different set of API Products to each distinct credential! And there's caching of the key/token in the Apigee runtime, so if you change the setting on an API Product, then retry the same token, ... it will use "the old settings" until the cache expires (usually within three minutes). Those are just a few examples. It sounds like you're doing the right things. What I would check is: - check the list of API products for the credential. Ideally it's just one product in the simple case. - on that API product, check the verb + path you've set. One catch - the UI for Apigee X is now different! so if you are using console.cloud.google.com to create apps and products and etc, the experience is different. this video shows the "old" UI. If you want a set of written instructions for how to do this from the terminal using gcloud and apigeecli commands, see here: github.com/GoogleCloudPlatform/apigee-samples/tree/main/apiproduct-operations
Hey Adam, I recorded a newer version of the OAuth2 Client Credentials thing, here: ua-cam.com/video/7Ujn1aavmpo/v-deo.html . This one uses the updated Apigee X UI.
Thanks Dino, great tutorial. I am also looking at a scenario where I need APIGEE to retrieve from an OAUTH 2.0 endpoint. What I want is to automate the retrieval of the Oauth token in the flow itself (when it is expired). Any experience with this?
Sure, you can do that. Really common. Usually people want to implement this kind of thing when Apigee is acting as an OAuth 2.0 mediation layer. In this scenario, Apigee accepts and validates an Apigee-generated token, and then employs a token from some other issuer to invoke the upstream system. The best way to implement it - In the proxy, at token-generation time, before invoking OAuthV2/GenerateAccessToken, configure the Apigee proxy to invoke the /token endpoint on the 3rd party token dispensary to acquire the 3rd-party token. Then, in OAuthV2/GenerateAccessToken, attach that token as a hidden _attribute_ on the Apigee-generated token. Set the expiry on the Apigee-generated token to be synchronized with the 3rd-party generated token (or a few seconds shorter). And then eventually return the Apigee-generated token to the client app. Then, later, when the client app presents the Apigee-generated token in subsequent API calls, the API proxy will validate that token and in that process, it will implicitly retrieve the 3rd-party generated token. And the proxy can then inject that token into the request that flows to the upstream. When the Apigee-generated token expires, the client app will request a new token, and then you'd begin the cycle again. Above I wrote "configure the Apigee proxy to invoke the /token endpoint on the 3rd party token dispensary to acquire that token". In case you are less familiar with Apigee, the way you'd do this is with AssignMessage (to form the outbound request-for-token message) and ServiceCallout (to send the request-for-token to the 3rd party endpoint).
Hi Dino Chiesa, I have an issue when an access token is generated in a hybrid apigee x, let me explain: I have 1 product with 2 comma separated scope (read,write) and when I require a token with read scope we have a token for that one but when I require scope for second scope metadata response not generate a access token for that scope. I don't know if that a problem with configuration product or something else.
Hi, I've been away on holiday. This seems like a good question for the Apigee community forum www.googlecloudcommunity.com/gc/Apigee/bd-p/cloud-apigee . For my part, I can configure a Product to support "READ,WRITE" scope. Then GenerateAccessToken with READ scope, or WRITE scope. Then, at time of VerifyAccessToken, it works as expected. If the VerifyAccessToken policy requires a READ scope and the token includes READ scope, it works. If the VerifyAccessToken policy requires a READ scope and the token does not include READ scope, the verify fails as expected. And likewise for WRITE scope. So maybe there is a problem in your policies. But anyway this is better covered in a forum, where you can show configuration and I can suggest changes, or provide examples of my own. Please ask there.
oh I see you've already asked this question in the community. www.googlecloudcommunity.com/gc/Apigee/Issue-with-Oauth-2-token-generation-with-scopes-in-apigee-x/m-p/504774#M73411 I've answered there. Good luck!
I'd be glad to try to help out, but I'd need more information from you. Apigee acts as an HTTP proxy, which means you could configure Apigee as an OAuth 1.0a receiver (northbound) or an OAuth1.0a client (southbound). So can you explain what you mean? Maybe provide more than 5 or 6 words. A few sentences would be helpful.
@@mounikaduduka8473 Hi, I'm not sure what offset and limit have to do with the problem. Oauth1.0a is tricky to get right. I suggest you try this online tool for creating the signatures at the various stages: dinochiesa.github.io/oauth1.0a/. Good luck!
@@mounikaduduka8473 I am sorry you are still having difficulty. As I said, Oauth1.0a signatures can be tricky to get right. I suggested the website to help you create and verify signatures. Then you replied with "let me know the online tool." So I'm not sure you're reading and understanding what I am writing. Good luck working through this. Keep at it, you'll figure it out.
Hi @Dino , Big fan of yours! Can you make videos on Implementing/Architecting Apigee infrastructure for Hybrid and GCP with Kubernetes. Or if there is a documentation which has good amount of details do share.
My colleague, Miguel Mendoza, has produced a nice walkthrough of installing Apigee hybrid on GKE. ua-cam.com/video/vmzbwTIYsog/v-deo.html. Check it out!
I don't see what I'm missing, but I have my app created, a developer associated with it, as well as a product for the API that's supposed to receive the bearer token, yet I keep getting the same error message: "Invalid API call as no apiproduct match found". I'm using the bundle Dino provided and have little difficulty using the client ID and secret to get the token from the endpoint for acquiring tokens. What am I missing?
I think I could better help you if you posted your question on the Apigee community at goo.gle/apigee-community .
The "no apiproduct match found" thing happens if the verb + path that you use in the request, do not match any verb+path configured for any API product configured on the credential (client id + secret). Apigee makes things pretty flexible, which you will appreciate as you get more advanced, but that flexibility makes things a little more complicated than you'd like them to be when just launching your first OAuth2-protected API.
As one example of that flexibility - the client id + secret is a single credential on an app. You can have multiple credentials! And, you can map a different set of API Products to each distinct credential! And there's caching of the key/token in the Apigee runtime, so if you change the setting on an API Product, then retry the same token, ... it will use "the old settings" until the cache expires (usually within three minutes). Those are just a few examples.
It sounds like you're doing the right things. What I would check is:
- check the list of API products for the credential. Ideally it's just one product in the simple case.
- on that API product, check the verb + path you've set.
One catch - the UI for Apigee X is now different! so if you are using console.cloud.google.com to create apps and products and etc, the experience is different. this video shows the "old" UI.
If you want a set of written instructions for how to do this from the terminal using gcloud and apigeecli commands, see here: github.com/GoogleCloudPlatform/apigee-samples/tree/main/apiproduct-operations
Hey Adam, I recorded a newer version of the OAuth2 Client Credentials thing, here: ua-cam.com/video/7Ujn1aavmpo/v-deo.html . This one uses the updated Apigee X UI.
Thanks Dino, great tutorial. I am also looking at a scenario where I need APIGEE to retrieve from an OAUTH 2.0 endpoint. What I want is to automate the retrieval of the Oauth token in the flow itself (when it is expired). Any experience with this?
Sure, you can do that. Really common. Usually people want to implement this kind of thing when Apigee is acting as an OAuth 2.0 mediation layer.
In this scenario, Apigee accepts and validates an Apigee-generated token, and then employs a token from some other issuer to invoke the upstream system. The best way to implement it - In the proxy, at token-generation time, before invoking OAuthV2/GenerateAccessToken, configure the Apigee proxy to invoke the /token endpoint on the 3rd party token dispensary to acquire the 3rd-party token. Then, in OAuthV2/GenerateAccessToken, attach that token as a hidden _attribute_ on the Apigee-generated token. Set the expiry on the Apigee-generated token to be synchronized with the 3rd-party generated token (or a few seconds shorter). And then eventually return the Apigee-generated token to the client app.
Then, later, when the client app presents the Apigee-generated token in subsequent API calls, the API proxy will validate that token and in that process, it will implicitly retrieve the 3rd-party generated token. And the proxy can then inject that token into the request that flows to the upstream.
When the Apigee-generated token expires, the client app will request a new token, and then you'd begin the cycle again.
Above I wrote "configure the Apigee proxy to invoke the /token endpoint on the 3rd party token dispensary to acquire that token". In case you are less familiar with Apigee, the way you'd do this is with AssignMessage (to form the outbound request-for-token message) and ServiceCallout (to send the request-for-token to the 3rd party endpoint).
Hi Dino Chiesa, I have an issue when an access token is generated in a hybrid apigee x, let me explain: I have 1 product with 2 comma separated scope (read,write) and when I require a token with read scope we have a token for that one but when I require scope for second scope metadata response not generate a access token for that scope. I don't know if that a problem with configuration product or something else.
Hi, I've been away on holiday. This seems like a good question for the Apigee community forum www.googlecloudcommunity.com/gc/Apigee/bd-p/cloud-apigee .
For my part, I can configure a Product to support "READ,WRITE" scope. Then GenerateAccessToken with READ scope, or WRITE scope. Then, at time of VerifyAccessToken, it works as expected. If the VerifyAccessToken policy requires a READ scope and the token includes READ scope, it works. If the VerifyAccessToken policy requires a READ scope and the token does not include READ scope, the verify fails as expected. And likewise for WRITE scope.
So maybe there is a problem in your policies. But anyway this is better covered in a forum, where you can show configuration and I can suggest changes, or provide examples of my own. Please ask there.
oh I see you've already asked this question in the community. www.googlecloudcommunity.com/gc/Apigee/Issue-with-Oauth-2-token-generation-with-scopes-in-apigee-x/m-p/504774#M73411
I've answered there. Good luck!
Thanks, Could you please make external Auth2 demo
Hi - can you explain what you mean by "external Auth2" ? Maybe elaborate a little more on what you're thinking.
@@dinochiesa1860 for example Microsoft IDP Azure
Can you please make Oauth1.0a in apigee
I'd be glad to try to help out, but I'd need more information from you. Apigee acts as an HTTP proxy, which means you could configure Apigee as an OAuth 1.0a receiver (northbound) or an OAuth1.0a client (southbound). So can you explain what you mean? Maybe provide more than 5 or 6 words. A few sentences would be helpful.
@@mounikaduduka8473 Hi, I'm not sure what offset and limit have to do with the problem. Oauth1.0a is tricky to get right. I suggest you try this online tool for creating the signatures at the various stages: dinochiesa.github.io/oauth1.0a/. Good luck!
@@mounikaduduka8473 I am sorry you are still having difficulty. As I said, Oauth1.0a signatures can be tricky to get right. I suggested the website to help you create and verify signatures. Then you replied with "let me know the online tool." So I'm not sure you're reading and understanding what I am writing. Good luck working through this. Keep at it, you'll figure it out.
Hi @Dino , Big fan of yours! Can you make videos on Implementing/Architecting Apigee infrastructure for Hybrid and GCP with Kubernetes. Or if there is a documentation which has good amount of details do share.
My colleague, Miguel Mendoza, has produced a nice walkthrough of installing Apigee hybrid on GKE. ua-cam.com/video/vmzbwTIYsog/v-deo.html. Check it out!