Prerequisites

• Docker and Docker Compose

• Access to an ACP tenant

• Apigee Edge account with an active organization

• API proxy created in your Apigee Edge organization

• APIs published with Apigee Edge

Create Apigee Edge gateway

1. Log in to your ACP tenant.

2. Open your authorization server (workspace).

3. Go to APIs -> Gateways.

4. Select Add Gateway. A list of available gateways appears.

5. Select Apigee Edge. Provide the name and description.

6. Optionally, enable the Create and bind services automatically check box.

   Tip

   When enabled, all services protected by your Apigee Edge instance are discovered and added to the ACP service list automatically when the Apigee authorizer is connected to ACP. Otherwise, you need to add them manually.

7. Follow the Quick Start instruction. Download the package from your tenant and check the Integrate ACP and Apigee Edge instructions.

Integrate ACP and Apigee Edge Authorizer

1. Unzip the package and open the docker-compose.yaml file.

2. Edit the following parameters to match your Apigee Edge instance:

   • APIGEE.APIGEE_EDGE.USERNAME=username - replace with your username

   • APIGEE.APIGEE_EDGE.PASSWORD=password - replace with your password

   • APIGEE.APIGEE_EDGE.ORGANIZATION_ID=org-id - replace with your organization ID

   version: '3'
   
   services:
   apigee-authorizer:
       container_name: apigee-edge-authorizer
       image: docker.cloudentity.io/apigee-authorizer:1.13.0
       env_file: .authorizer_env
       environment:
       - APIGEE.APIGEE_PRODUCT=ApigeeEdge
       - APIGEE.ACP_RELOAD_INTERVAL=5s # for demo purposes only, increase for production!
       - APIGEE.APIGEE_EDGE.USERNAME=username
       - APIGEE.APIGEE_EDGE.PASSWORD=password
       - APIGEE.APIGEE_EDGE.ORGANIZATION_ID=org-id
       ports:
       - 8442:8442
       restart: on-failure
   

   Tip

   The APIGEE.ACP_RELOAD_INTERVAL configuration parameter defines how often ACP tries to discover APIs on your gateway.

   Save your changes when done.

3. Run the docker-compose run apigee-authorizer install command in your terminal.

   Result

   When you run the command, a shared Authorizer flow is created automatically for you in your Apigee Edge instance. The shared flow consists of two policies:

   • A JavaScript Cloudentity Authorizer Policy that is responsible for communicating with the Apigee Edge Authorizer and for blocking/allowing the request depending on the Authorizers decision.

   • An XML Raise Authorization Error policy that is responsible for delivering the error status as the response to the unauthorized call to the protected API.

4. Run docker-compose up. After a short while, Apigee Edge authorizer should be running.

   docker-compose up
   Creating apigee-edge-authorizer ... done
   Attaching to apigee-edge-authorizer
   apigee-edge-authorizer | time="2021-08-27T13:37:53Z" level=info msg="starting apigee authorizer" commit=289e388 version=1.13.0
   apigee-edge-authorizer | time="2021-08-27T13:37:54Z" level=info msg="apigee-authorizer listening on https://localhost:8442"
   

5. Go to APIs > Gateways > your_gateway > APIs. You should see a familiar list of services deployed using Apigee Edge.

   Note

   If you do not see a list of services deployed on Apigee Edge, make sure that at least one API Product is defined in your Apigee Edge organization with a connected API proxy and a path provided.

6. Select Connect > Create new service on a protected API from the list to add it to a list of ACP-protected services. Give this new ACP service a name when prompted.

   Note

   If you selected the Create and bind services automatically option when creating the gateway, your services are bound already.

   Result

   Your Apigee Edge-protected API is now on the list of ACP-protected services.

7. Deploy your Apigee Edge authorizer so that it is available publicly.

   Tip

   So far, you have only deployed your Apigee Edge authorizer locally using the Docker image provided by Cloudentity. You must expose it publicly as it is needed later on for the integration to work. For testing purposes, you can use tools like, for example, ngrok that expose local servers behind NATs and firewalls to public internet over secure channels.

Configure Apigee Edge Gateway

With Apigee Edge Gateway, you can define policies that are an Edge components that you can attach to different points in the message flow through your API proxies. Such policies can transform the message format, call remote services, and more. To protect your APIs, elevate the integration between ACP and the Apigee Edge platform. Doing so allows you to enforce access control using Apigee Edge policies and ACP authorization policies.

1. In your Apigee Edge API Proxy settings, go to the DEVELOP tab.

2. In the Navigator > Policies add a policy of the Flow Callout type.

   Tip

   You can find the Flow Callout policy type under the EXTENSTION tree node.

3. Provide a name and a display name for your policy.

4. As a shared flow, use the Authorizer shared flow.

   Result

   Your policy is created. It is defined with the following XML:

   <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <FlowCallout async="false" continueOnError="false" enabled="true" name="Flow-Callout">
     <DisplayName>Flow Callout</DisplayName>
     <FaultRules/>
     <Properties/>
     <SharedFlowBundle>Authorizer</SharedFlowBundle>
   </FlowCallout>
   

5. Configure your policy so that it points to your Apigee Edge authorizer’s /authorize endpoint that you have deployed in the seventh step of the Integrate ACP and Apigee Edge section

   Example

   <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <FlowCallout async="false" continueOnError="false" enabled="true" name="microPerimeter">
      <DisplayName>microPerimeter</DisplayName>
      <FaultRules/>
      <Properties/>
      <Parameters>
          <Parameter name="authorizer_url">https://yourAuthorizerURL/authorize</Parameter>
          <Parameter name="proxy_body">false</Parameter>
      </Parameters>
      <SharedFlowBundle>Authorizer</SharedFlowBundle>
   </FlowCallout>
   

   proxy_body parameter

   If the proxy_body parameter is set to true, the shared flow policy proxies the request body to the authorizer and then to the policies. Thanks to that it is possible to create policies that reject requests based on the request body. The request body must be in the JSON format.

   The proxy_body option is disabled by default to make it possible to use bigger-sized request bodies, for example, for image uploads.

6. Add your new policy as a <step> element to your Proxy Endpoints PreFlows.

   Example

   <PreFlow name="PreFlow">
      <Request>
          <Step>
              <Name>microPerimeter</Name>
          </Step>
      </Request>
      <Response/>
   </PreFlow>
   

   Note

   You have to add your new policy to your Proxy Endpoints PreFlows, as the authorization must take place before the request reaches to target endpoint.

7. Select Save.

Apply a sample policy

1. In ACP, create a policy.

2. Select APIs from the left sidebar and go to the AUTHORIZATION tab.

3. Select a service protected by the Apigee Edge authorizer and any API with authorization status Unrestricted.

4. In the Edit API popup window, select Policy from the dropdown list and click Update to proceed.

Result

You have successfully assigned a policy to your API.

Test integration

To test if your integration was successfull and that your APIs are protected, you can, for example, create a simple Cloudentity or REGO policy that will always pass. Call your protected endpoint and check if the response contains the successfull status. If yes, change your policy so that it blocks APIs. The next request to your protected enpoint should end with the unauthorized access error.