API Key

Support Installation and Deployment
1

Imported Google Group message. Original thread at: Redirecting to Google Groups Import Date: 2016-01-19 21:13:27 +0000.
Sender:Jayadatta Vallabhaneni.
Date:Wednesday, 20 May 2015 19:51:33 UTC+1.

Hi Martin,

I am working on a scenario where a developer have access to multiple API’s. What i am seeing is that by using any of the keys under his profile, user is able to invoke the API’s even though the key was not requested for it. Could you please let me know if this is how it is supposed to work?

Step to replicate.

Create two API’s ( API1 , API2).

User signs up in portal.

Request keys for both the API’s. Two separate keys (key1 for API1, key2 for API2) generated and shared with the user.

Below is the user profile snippet from portal_developers collection for the user

“org_id” : “5558f0657650d0004c000001”,
“api_keys” : {
“be60e1ec083a4191707d75fcc83fd0d7” : “5558f0657650d0004c000001187b6af9fe5742966146f041c02f033c”,
“d34e97e5712945727e5dc93114ce47ed” : “5558f0657650d0004c00000135cd38bde4e344954bde1744a275396d”
},

Now with Key1, user is able to call API2 and with Key2, is able to call API1.

Thanks,
Jay

2

Imported Google Group message.
Sender:Martin Buhr.
Date:Wednesday, 20 May 2015 20:02:56 UTC+1.

Hi Jay,

Do the API policies you have attached to the APIs have access control rules defined?

If you do not specify access rules at the policy level, then the key will have access to everything no matter how it’s created (it acts as a master key). I wouldn’t recommend using the same policy across two catalogue entries because the access rules will not be applied.

To be honest, the dashboard should really check for that, so that’s something for the roadmap.

Thanks,
Martin

  • show quoted text -
3

Imported Google Group message.
Sender:Jayadatta Vallabhaneni.
Date:Wednesday, 20 May 2015 20:09:30 UTC+1.

Thanks Martin.

Yes, both the keys are attached to the same policy. I will create a separate catalog and test this.

Regards,
Jayadatta

  • show quoted text -
4

Imported Google Group message.
Sender:Martin Buhr.
Date:Wednesday, 20 May 2015 20:14:38 UTC+1.

Hi Jay,

Make sure the policies have their acces rights set (click the add button, so many people miss it) :wink:

Cheers,
Martin