Configuring Apigee Authorizers

Learn how you can configure your Apigee Edge or Apigee X authorizers to adjust their settings to your needs.

About Apigee Authorizers configuration

For both the Apigee Edge Authorizer and the Apigee X Authorizer, it is possible to adjust their configuration. Below you can see an example of how the reference.yaml file looks like for both authorizers in the 1.16 ACP release.

server:
    port: 8442
    dangerous_disable_tls: false
    certificate:
        password: "" # key passphrase
        cert_path: "" # path to the certificate PEM file
        key_path: "" # path to the key PEM file
        cert: "" # base64 encoded cert PEM
        key: "" # base64 encoded key PEM
        generated_key_type: ecdsa # type for generated key if cert and key are not provided (rsa or ecda)
apigee:
    acp_reload_interval: 1m0s
    acp_reload_timeout: 30s
    acp_issuer_url: https://{tid}.us.authz.cloudentity.io/{tid}/system
    acp_client_id: {CLIENT_ID}
    acp_client_secret: {CLIENT_SECRET}
    disable_analytics: false
    disable_discovery: false
    do_not_fail_on_non_matching_requests: false
    analytics:
        probability: 1
        batchinterval: 1s
        batchlimit: 100
        limit: 5
        timeout: 5s
        workers: 8
    client:
        timeout: 10s # http client timeout
        retry_wait_min: 0s # minimum time to wait between retries
        retry_wait_max: 0s # maximum time to wait between retries
        retry_max: 0 # maximum number of retries
        root_ca: "" # root ca that this client should trust (defaults to system root ca)
        insecure_skip_verify: false # disable cert verification
        disable_follow_redirects: false # disable follow redirects
        disable_retry: true # disable retry
    apigee_product: ApigeeX
    apigee_edge:
        username: ""
        password: ""
        organization_id: ""
        base_url: https://api.enterprise.apigee.com
        token_url: https://login.apigee.com/oauth/token
        use_token: true
        debug: false
    api_discovery_filters:
        product_name_regexp: ""
        environment_name_regexp: ""
    cache_ttl: 10s
    cache_max_size: 100
shared_flow_path: data

You can generate a reference configuration for your authorizer using the docker-compose run apigee-authorizer reference command.

You can use the reference configuration as a basis for your customization. You can omit settings for which the default configuration is satisfactory, specifying only the required values, which are the client ID, client secret, and issuer URL parameters like it is shown in the example below:

   environment:
     - APIGEE.APIGEE_PRODUCT=ApigeeEdge
     - APIGEE.ACP_RELOAD_INTERVAL=5s
     - APIGEE.APIGEE_EDGE.USERNAME=username
     - APIGEE.APIGEE_EDGE.PASSWORD=password
     - APIGEE.APIGEE_EDGE.ORGANIZATION_ID=org-id

Tip

Note that nested YAML settings can be accessed by joining uppercased names with periods, as shown in the example above, where the APIGEE.APIGEE_EDGE.PASSWORD=password parameter is set.

Running authorizers

With a configuration file

  1. Add a volumes parameter to your docker-compose.yml file:

    volumes:
    - /Path/To/Your/Authorizer/apigee-{your_authorizer_version}-authorizer:/apigee
    

    The {your_authorizer_version} variable can be set to either x or edge.

    volumes attaches the defined catalog (/Path/To/Your/Authorizer/apigee-{your_authorizer_version}-authorizer:/apigee) to your authorizer’s docker image and maps it to a catalog that, from now on, exists on your docker image (apigee). This is the place where your configuration is stored on your authorizer’s docker deployment.

  2. Use the --config option to specify the YAML file with your configuration. For example, assuming that you have created a apigee_edge_config.yaml file in your current directory, your docker run command would look like the following:

    docker-compose run apigee-authorizer --config=/apigee/apigee_edge_config.yaml
    

Client authentication for Apigee Edge Authorizer

By default, the Apigee Edge Authorizer uses OAuth2 access tokens to authenticate itself to your Apigee Edge instance. It is defined using the use_token: true setting in the Apigee Edge Authorizer’s configuration. If you wish to use Basic Authentication, set it to false.

You can do this by, for example, by providing the APIGEE.APIGEE_EDGE.USE_TOKEN=false environment variable in the docker-compose.yml file responsible for your authorizer’s docker deployment.

With environment variables in the docker-compose run command

To run the authorizer without providing the whole configuration file, you can provide the environment variables in your docker-compose run command. See example below:

docker-compose run apigee-authorizer -e APIGEE.ACP_CLIENT_ID={your_client_id} APIGEE.ACP_CLIENT_SECRET={your_client_secret}