UNPKG

microgateway-plugins/oauthv2/README.md

Version:

4.48 kBMarkdownView Raw

1# oauthv2 plugin
2
3## Summary
4The `oauthv2` plugin allows you to secure API requests to Apigee Edge Microgateway with OAuth 2.0 (JWT validation).  Therefore, it was created to separate API key validation from OAuth 2.0 token validation and simply its configuration.
5
6## When to use this plugin?
7Use this plugin when you only want to enable OAuth 2.0 JWT validation.
8
9## Process Summary
10
111. The client obtains an client ID and secret.
122. The client exchanges the client ID and secret for a JWT and includes it the request to Edge Microgateway.
133. The `oauthv2` plugin will validate the JWT.
144. If the JWT is valid, then the request will continue to the next plugin, otherwise an error message will be returned to the client application.
15
16## Prerequisites
17Please complete the following tasks before you use this plugin.  
18
191. [Install Edge Microgateway](https://docs.apigee.com/api-platform/microgateway/3.0.x/setting-and-configuring-edge-microgateway#Prerequisite)   
20
212. [Configure Edge Microgateway](https://docs.apigee.com/api-platform/microgateway/3.0.x/setting-and-configuring-edge-microgateway#Part1)
22
233. [Create entities on Apigee Edge](https://docs.apigee.com/api-platform/microgateway/3.0.x/setting-and-configuring-edge-microgateway#Part2)
24
25
26## Plugin configuration properties
27You can set the following properties in the `oauthv2` stanza in the Edge Microgateway configuration file.
28
29```yaml
30oauth:
31  # Header name used to send the JWT to Edge Microgateway
32  # Default: Authorization
33
34  authorization-header: "x-custom-auth-header"
35
36  # Set to true if you want to send the Authorization header to the target server;
37  # Set to false if you want this plugin to remove the header after it is validated.
38  # Default: false
39
40  keep-authorization-header: true
41
42  # Grace period is the number of seconds before the token is removed from the cache.
43  # If you set this to 5 (seconds), then MG will check if the difference between the expiry time and the current time [absoluteValue(expiry_time - current_time)] is less than or equal (<=) to the grace period.
44  # If true, then Edge Microgateway will remove the token from the cache.  
45  # Default: 0 seconds
46
47  gracePeriod: 5
48
49  # Set to true to enable Edge Microgateway to check against the resource paths only.  
50  # In this case it ignores the proxy name check.
51  # Default: false, which enables Edge Microgateway to check if the proxy name is included in the product.
52
53  productOnly: true
54
55  # Note: if you set the tokenCacheSize, then you should also enable it (tokenCache: true).
56  # Set tokenCache to true if you want to cache the access token (JWT) locally.
57  # Default: false - Access token is not cached.
58
59  tokenCache: true
60
61  # Set the maximum number of tokens cached locally.
62  # Default: 100
63
64  tokenCacheSize: 150
65```
66
67## Enable the plugin
68In the EM configuration file (`org-env-config.yaml`) make sure that your plugin sequence is as shown below.
69
70```yaml
71plugins:
72    sequence:
73      - oauthv2
74      # other plugins can be listed here
75```
76
77## Configure the plugin
78In the same configuration file you also need to configure the `oauthv2` plugin if you want to change the default behavior.  The example below changes the `oauthv2` to enable access token caching and changes the `tokenCacheSize` to 150 tokens.    
79
80```yaml
81oauthv2:
82  tokenCache: true
83  tokenCacheSize: 150
84```
85
86## Caching
87JWT token caching is **not** enabled by default.  
88
89### Cache Headers
90The `oauthv2` plugin **does not** observe the [`cache-control`](https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching) header.
91The only way to cache the JWT is to set the `tokenCache` property to `true`.
92
93### Access Tokens
94Access tokens (JWTs) can also be cached in Edge Microgateway to avoid validating the JWT on every request.  Access tokens are only cached if you set `tokenCache` to `true` and the JWT is valid.  
95
96## Best Practices for configuring this plugin
97* The `oauthv2` plugin is typically listed first in the plugin sequence.  
98* If you need one set of APIs to be validated by JWTs and another set to be validated by API Keys (lower security), then consider the following:
99  * Create two products, one for API Key validation and one for access token (JWT) validation, then configure two sets of  Edge Microgateway instances - one set for API key validation and one set for access token validation.
100  * Use an HTTPS load balancer to determine which Edge Microgateway should receive the traffic.  

1	`# oauthv2 plugin`
2
3	`## Summary`
4	The `oauthv2` plugin allows you to secure API requests to Apigee Edge Microgateway with OAuth 2.0 (JWT validation). Therefore, it was created to separate API key validation from OAuth 2.0 token validation and simply its configuration.
5
6	`## When to use this plugin?`
7	`Use this plugin when you only want to enable OAuth 2.0 JWT validation.`
8
9	`## Process Summary`
10
11	`1. The client obtains an client ID and secret.`
12	`2. The client exchanges the client ID and secret for a JWT and includes it the request to Edge Microgateway.`
13	3. The `oauthv2` plugin will validate the JWT.
14	`4. If the JWT is valid, then the request will continue to the next plugin, otherwise an error message will be returned to the client application.`
15
16	`## Prerequisites`
17	`Please complete the following tasks before you use this plugin.`
18
19	`1. [Install Edge Microgateway](https://docs.apigee.com/api-platform/microgateway/3.0.x/setting-and-configuring-edge-microgateway#Prerequisite)`
20
21	`2. [Configure Edge Microgateway](https://docs.apigee.com/api-platform/microgateway/3.0.x/setting-and-configuring-edge-microgateway#Part1)`
22
23	`3. [Create entities on Apigee Edge](https://docs.apigee.com/api-platform/microgateway/3.0.x/setting-and-configuring-edge-microgateway#Part2)`
24
25
26	`## Plugin configuration properties`
27	You can set the following properties in the `oauthv2` stanza in the Edge Microgateway configuration file.
28
29	```yaml
30	`oauth:`
31	`# Header name used to send the JWT to Edge Microgateway`
32	`# Default: Authorization`
33
34	`authorization-header: "x-custom-auth-header"`
35
36	`# Set to true if you want to send the Authorization header to the target server;`
37	`# Set to false if you want this plugin to remove the header after it is validated.`
38	`# Default: false`
39
40	`keep-authorization-header: true`
41
42	`# Grace period is the number of seconds before the token is removed from the cache.`
43	`# If you set this to 5 (seconds), then MG will check if the difference between the expiry time and the current time [absoluteValue(expiry_time - current_time)] is less than or equal (<=) to the grace period.`
44	`# If true, then Edge Microgateway will remove the token from the cache.`
45	`# Default: 0 seconds`
46
47	`gracePeriod: 5`
48
49	`# Set to true to enable Edge Microgateway to check against the resource paths only.`
50	`# In this case it ignores the proxy name check.`
51	`# Default: false, which enables Edge Microgateway to check if the proxy name is included in the product.`
52
53	`productOnly: true`
54
55	`# Note: if you set the tokenCacheSize, then you should also enable it (tokenCache: true).`
56	`# Set tokenCache to true if you want to cache the access token (JWT) locally.`
57	`# Default: false - Access token is not cached.`
58
59	`tokenCache: true`
60
61	`# Set the maximum number of tokens cached locally.`
62	`# Default: 100`
63
64	`tokenCacheSize: 150`
65	```
66
67	`## Enable the plugin`
68	In the EM configuration file (`org-env-config.yaml`) make sure that your plugin sequence is as shown below.
69
70	```yaml
71	`plugins:`
72	`sequence:`
73	`- oauthv2`
74	`# other plugins can be listed here`
75	```
76
77	`## Configure the plugin`
78	In the same configuration file you also need to configure the `oauthv2` plugin if you want to change the default behavior. The example below changes the `oauthv2` to enable access token caching and changes the `tokenCacheSize` to 150 tokens.
79
80	```yaml
81	`oauthv2:`
82	`tokenCache: true`
83	`tokenCacheSize: 150`
84	```
85
86	`## Caching`
87	`JWT token caching is not enabled by default.`
88
89	`### Cache Headers`
90	The `oauthv2` plugin does not observe the [`cache-control`](https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching) header.
91	The only way to cache the JWT is to set the `tokenCache` property to `true`.
92
93	`### Access Tokens`
94	Access tokens (JWTs) can also be cached in Edge Microgateway to avoid validating the JWT on every request. Access tokens are only cached if you set `tokenCache` to `true` and the JWT is valid.
95
96	`## Best Practices for configuring this plugin`
97	* The `oauthv2` plugin is typically listed first in the plugin sequence.
98	`* If you need one set of APIs to be validated by JWTs and another set to be validated by API Keys (lower security), then consider the following:`
99	`* Create two products, one for API Key validation and one for access token (JWT) validation, then configure two sets of Edge Microgateway instances - one set for API key validation and one set for access token validation.`
100	`* Use an HTTPS load balancer to determine which Edge Microgateway should receive the traffic.`