Layer7 API Management

Expand all | Collapse all

API Key validation

Jump to Best Answer
  • 1.  API Key validation

    Posted 07-05-2018 04:18 PM

    Hi!

    I am publishing our APIs by the Portal and setting the security to use API Key.

    However, the auto generated policy that validate the API Key gets the Key only from the query parameter.

    Is there a way to change the auto generated policy to get the Key from the header (without to do it mannualy by Policy Manager)?

    For our scenario this is a security issue, because the API Key can be easily captured when it is used as a query parameter.

    Thanks in advance!

    César Piau



  • 2.  Re: API Key validation

    Posted 07-05-2018 07:54 PM

    Dear Piau ,

    I double check the default "API Portal Integration Fragment - API Key" (on portal 4.2.7.4), the apikey  in query string, or in posted form data, or in header, are all supported.

    What's the version of your portal?

     

    Regards,

    Mark



  • 3.  Re: API Key validation

    Posted 07-06-2018 10:11 AM

    Hi Mark,

    We are still using version 3.1 here in CAIXA.

    The fragment below is the "auto generated policy" when I publish an API by Portal.

    There are only 3 ways to capture the API Key from request: ${request.http.parameter.apikey}, ${session.client_id} and ${oauth_consumer_key}.

    Regards,

    Piau

     



  • 4.  Re: API Key validation

    Posted 07-08-2018 07:59 PM

    then it supports query string,  form data -- ${request.http.parameter.<name>} supports both query string and form data parameter



  • 5.  Re: API Key validation

    Posted 07-09-2018 05:20 PM

    Mark,

    Using form data is not a good idea because my body message can not be changed. Here in Caixa, for security parameters, we decide that header is the best choice.

    Is there a way to change the auto generated policy to get the Key from the header (without to do it mannualy by Policy Manager)? Maybe some config or template change.

    Regards,

    Piau



  • 6.  Re: API Key validation
    Best Answer

    Posted 07-09-2018 08:02 PM

    I understand, but this is how 3.1 design, you may need to customize the template policy to get apikey from ${request.http.header.apikey}, rather than ${request.http.parameter.apikey}