1 | # oauthv2 plugin
|
2 |
|
3 | ## Summary
|
4 | The `oauthv2` plugin allows you to secure API requests to Apigee Edge Microgateway with OAuth 2.0 (JWT validation). Therefore, it was created to separate API key validation from OAuth 2.0 token validation and simply its configuration.
|
5 |
|
6 | ## When to use this plugin?
|
7 | Use this plugin when you only want to enable OAuth 2.0 JWT validation.
|
8 |
|
9 | ## Process Summary
|
10 |
|
11 | 1. The client obtains an client ID and secret.
|
12 | 2. The client exchanges the client ID and secret for a JWT and includes it the request to Edge Microgateway.
|
13 | 3. The `oauthv2` plugin will validate the JWT.
|
14 | 4. If the JWT is valid, then the request will continue to the next plugin, otherwise an error message will be returned to the client application.
|
15 |
|
16 | ## Prerequisites
|
17 | Please complete the following tasks before you use this plugin.
|
18 |
|
19 | 1. [Install Edge Microgateway](https://docs.apigee.com/api-platform/microgateway/3.0.x/setting-and-configuring-edge-microgateway#Prerequisite)
|
20 |
|
21 | 2. [Configure Edge Microgateway](https://docs.apigee.com/api-platform/microgateway/3.0.x/setting-and-configuring-edge-microgateway#Part1)
|
22 |
|
23 | 3. [Create entities on Apigee Edge](https://docs.apigee.com/api-platform/microgateway/3.0.x/setting-and-configuring-edge-microgateway#Part2)
|
24 |
|
25 |
|
26 | ## Plugin configuration properties
|
27 | You can set the following properties in the `oauthv2` stanza in the Edge Microgateway configuration file.
|
28 |
|
29 | ```yaml
|
30 | oauth:
|
31 | # Header name used to send the JWT to Edge Microgateway
|
32 | # Default: Authorization
|
33 |
|
34 | authorization-header: "x-custom-auth-header"
|
35 |
|
36 | # Set to true if you want to send the Authorization header to the target server;
|
37 | # Set to false if you want this plugin to remove the header after it is validated.
|
38 | # Default: false
|
39 |
|
40 | keep-authorization-header: true
|
41 |
|
42 | # Grace period is the number of seconds before the token is removed from the cache.
|
43 | # If you set this to 5 (seconds), then MG will check if the difference between the expiry time and the current time [absoluteValue(expiry_time - current_time)] is less than or equal (<=) to the grace period.
|
44 | # If true, then Edge Microgateway will remove the token from the cache.
|
45 | # Default: 0 seconds
|
46 |
|
47 | gracePeriod: 5
|
48 |
|
49 | # Set to true to enable Edge Microgateway to check against the resource paths only.
|
50 | # In this case it ignores the proxy name check.
|
51 | # Default: false, which enables Edge Microgateway to check if the proxy name is included in the product.
|
52 |
|
53 | productOnly: true
|
54 |
|
55 | # Note: if you set the tokenCacheSize, then you should also enable it (tokenCache: true).
|
56 | # Set tokenCache to true if you want to cache the access token (JWT) locally.
|
57 | # Default: false - Access token is not cached.
|
58 |
|
59 | tokenCache: true
|
60 |
|
61 | # Set the maximum number of tokens cached locally.
|
62 | # Default: 100
|
63 |
|
64 | tokenCacheSize: 150
|
65 | ```
|
66 |
|
67 | ## Enable the plugin
|
68 | In the EM configuration file (`org-env-config.yaml`) make sure that your plugin sequence is as shown below.
|
69 |
|
70 | ```yaml
|
71 | plugins:
|
72 | sequence:
|
73 | - oauthv2
|
74 | # other plugins can be listed here
|
75 | ```
|
76 |
|
77 | ## Configure the plugin
|
78 | In the same configuration file you also need to configure the `oauthv2` plugin if you want to change the default behavior. The example below changes the `oauthv2` to enable access token caching and changes the `tokenCacheSize` to 150 tokens.
|
79 |
|
80 | ```yaml
|
81 | oauthv2:
|
82 | tokenCache: true
|
83 | tokenCacheSize: 150
|
84 | ```
|
85 |
|
86 | ## Caching
|
87 | JWT token caching is **not** enabled by default.
|
88 |
|
89 | ### Cache Headers
|
90 | The `oauthv2` plugin **does not** observe the [`cache-control`](https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching) header.
|
91 | The only way to cache the JWT is to set the `tokenCache` property to `true`.
|
92 |
|
93 | ### Access Tokens
|
94 | Access tokens (JWTs) can also be cached in Edge Microgateway to avoid validating the JWT on every request. Access tokens are only cached if you set `tokenCache` to `true` and the JWT is valid.
|
95 |
|
96 | ## Best Practices for configuring this plugin
|
97 | * The `oauthv2` plugin is typically listed first in the plugin sequence.
|
98 | * If you need one set of APIs to be validated by JWTs and another set to be validated by API Keys (lower security), then consider the following:
|
99 | * Create two products, one for API Key validation and one for access token (JWT) validation, then configure two sets of Edge Microgateway instances - one set for API key validation and one set for access token validation.
|
100 | * Use an HTTPS load balancer to determine which Edge Microgateway should receive the traffic.
|