We launched new developer portal. For the latest documentation visit developer.cloudentity.com
Home > Guides > Developer > API security > Apigee GWs > Configuring Apigee Authorizers

Apigee Authorizers configuration reference

Learn how you can configure your Apigee Edge or Apigee X authorizers to adjust their settings to your needs.

About Apigee Authorizers configuration

For both the Apigee Edge Authorizer and the Apigee X Authorizer, it is possible to adjust their configuration. Below you can see an example of how the reference.yaml file looks like for both authorizers:

 # acp
acp:
    reload_interval: 1m0s # reload interval
    reload_timeout: 30s # reload configuration timeout
    issuer_url: https://localhost:8443/sample/system # issuer url
    client_id: bqesdrc4m4co2s81mpu0 # client id
    client_secret: LH6mAb6PNljvjYMIF-A5RP2bElA5a5bnQah8sG0fsLA # client secret
    tenant_id: "" # tenant id
    server_id: "" # server id
    force_introspection: false # force token introspection even for jwts
# http client
http_client:
    timeout: 10s # http client timeout
    retry_wait_min: 0s # minimum time to wait between retries
    retry_wait_max: 0s # maximum time to wait between retries
    retry_max: 0 # maximum number of retries
    root_ca: "" # root ca that this client should trust (defaults to system root ca)
    insecure_skip_verify: false # disable cert verification
    disable_follow_redirects: false # disable follow redirects
    disable_retry: true # disable retry
# metrics
metrics:
    enabled: false # enable metrics endpoint
    port: 9000 # metrics endpoint port
# analytics
analytics:
    enabled: true # when enabled, events are sent to audit log
    # event format
    event_format:
        include_policy_output: false # when enabled, policy evaluation output is sent to audit log
    # sampling
    sampling:
        probability: 1 # Probability of an event to be published (0.0-1.0)
        batch_inverval: 1s # Max duration to wait for a batch to publish
        batch_limit: 100 # Max number of events in a batch
        limit: 5 # Max number of batches per second to be published
        timeout: 5s # Timeout for a single batch to send
        workers: 8 # Number of sending workers
# cache
cache:
    ttl: 10s # ttl
    max_size: 100 # max size
# logging config
logging:
    level: info # log level severity
# token echange config
token_exchange:
    enabled: false # enable token exchange
    # cache
    cache:
        ttl: 1m0s # ttl
        max_size: 1000 # max size
    # inject config (supported only for istio authorizer)
    inject:
        mode: "" # Defines what token should be sent to the target service when token is exchanged
        # headers config
        headers:
            exchanged_token: "" # Defines the name of the header that contains an exchanged token.
            original_token: "" # Defines the name of the header that contains an original token.
            strip_bearer: false # Allows to strip the bearer prefix in headers
# enforcement config
enforcement:
    allow_unknown: false # allow requests with no matching rule
    client_certificate_header_name: X-SSL-CERT # client certificate header name
    client_certificate_format_header_name: X-SSL-CERT-FORMAT # client certificate format header name
# http server
http_server:
    port: 8442 # http port
    dangerous_disable_tls: false # diables TLS
    # certificate configuration
    certificate:
        password: "" # key passphrase
        cert_path: "" # path to the certificate PEM file
        key_path: "" # path to the key PEM file
        cert: "" # base64 encoded cert PEM
        key: "" # base64 encoded key PEM
        generated_key_type: ecdsa # type for generated key if cert and key are not provided (rsa or ecda)
    client_auth_type: 0 # client auth type
# apigee
apigee:
    product_name: ApigeeX # oneof ApigeeX or ApigeeEdge
    shared_flow_path: data # path to a directory with an apigee shared flow definition
    # service discovery configuration
    discovery:
        enabled: true # when true, API discovery is enabled
        # filters are used for limiting the number of discovered APIs
        filters:
            product_name_regexp: "" # filter discovered APIs by Apigee product name (whitelist)
            environment_name_regexp: "" # filter discovered APIs by Apigee environment name (whitelist)
    # apigee edge configuration, leave empty in case of ApigeeX
    apigee_edge:
        username: "" # username (email address format)
        password: "" # password
        organization_id: "" # organization name
        base_url: https://api.enterprise.apigee.com # URL of Apigee API
        token_url: https://login.apigee.com/oauth/token # URL of Apigee Authorization API
        use_token: true # when true, the client exchanges credentials for the token, when false it uses basic auth
        debug: false # dumps http traffic to Apigee API, useful for debugging connection issues

You can generate a reference configuration for your authorizer using the docker-compose run apigee-authorizer reference command.

You can use the reference configuration as a basis for your customization. You can omit settings for which the default configuration is satisfactory, specifying only the required values, which are the client ID, client secret, and issuer URL parameters like it is shown in the example below:

   environment:
     - ACP_RELOAD_INTERVAL=5s
     - APIGEE_APIGEE_PRODUCT=ApigeeEdge
     - APIGEE_APIGEE_EDGE_USERNAME=username
     - APIGEE_APIGEE_EDGE_PASSWORD=password
     - APIGEE_APIGEE_EDGE_ORGANIZATION_ID=org-id

Tip

Note that nested YAML settings can be accessed by joining uppercased names with underscores, as shown in the example above, where the APIGEE_APIGEE_EDGE_PASSWORD=password parameter is set.

Running authorizers

With a configuration file

  1. Add a volumes parameter to your docker-compose.yml file:

    volumes:
- /Path/To/Your/Authorizer/apigee-{your_authorizer_version}-authorizer:/apigee

    The {your_authorizer_version} variable can be set to either x or edge.

    volumes attaches the defined catalog (/Path/To/Your/Authorizer/apigee-{your_authorizer_version}-authorizer:/apigee) to your authorizer’s docker image and maps it to a catalog that, from now on, exists on your docker image (apigee). This is the place where your configuration is stored on your authorizer’s docker deployment.

  2. Use the --config option to specify the YAML file with your configuration. For example, assuming that you have created a apigee_edge_config.yaml file in your current directory, your docker run command would look like the following:

    docker-compose run apigee-authorizer --config=/apigee/apigee_edge_config.yaml

Client authentication for Apigee Edge Authorizer

By default, the Apigee Edge Authorizer uses OAuth2 access tokens to authenticate itself to your Apigee Edge instance. It is defined using the use_token: true setting in the Apigee Edge Authorizer’s configuration. If you wish to use Basic Authentication, set it to false.

You can do this by, for example, by providing the APIGEE_APIGEE_EDGE_USE_TOKEN=false environment variable in the docker-compose.yml file responsible for your authorizer’s docker deployment.

With environment variables in the docker-compose run command

To run the authorizer without providing the whole configuration file, you can provide the environment variables in your docker-compose run command. See example below:

docker-compose run apigee-authorizer -e APIGEE_ACP_CLIENT_ID={your_client_id} APIGEE_ACP_CLIENT_SECRET={your_client_secret}