Wednesday, 20 June 2018

Key Validation Policies in Oracle API Cloud Service (CS)


The Verify API Key policy lets user enforce verification of API keys at run-time, letting only apps with approved API keys access the APIs. This policy ensures that API keys are valid, have not been revoked, and are approved to consume the specific resources associated with the API products.

Use a key validation policy when we want to reject requests from unregistered (anonymous) applications.

Important Blogs to learn more about API CS


Keys are distributed to clients when they register to use an API on the Developer Portal. At run-time, if they key is not present in the given header or query parameter, or if the application is not registered, the request is rejected; the client receives a 400 Bad Request error if no key validation header or query parameter is passed or a 403 Forbidden error if an invalid key is passed.

This policy can be added only to the request flow.

Let's get in to the implementation on how to apply Key Validation policy.

Assume we already have API configured in API CS. If not, follow the blog Create API in Oracle API CS.

To configure a key validation policy please follow below steps:

  • Click on the TestAPI which we created in previous blog  Create API in Oracle API CS
  • Click on API Implementation tab
  • In the Available Policies region, expand Security, hover over Key Validation, and then click Apply

  • From the Key Validation Dialog Enter below and click Next button:

    • Your Policy Name (Optional): Enter a name for the policy
    • Comments (Optional): Describe why we are applying the policy for this API
    • Place after the following policy:  Select the policy after which this policy is placed in the request flow
    • From the Key Delivery Approach region, select either Query Parameter or Header depending on the choice. If Query Parameter is selected then, key will be passed in the query parameter in API request or if Header is selected then key need to pass in header. The request is rejected if the parameter/header is not present, if the key is not present, or if the key is invalid. Enter Parameter / header name and Click Apply button
    • Click Save button and redeploy the API from Deployments tab
    • Hit the API and include appkey query parameter
    • Hit the API without appkey query parameter

    The TestAPI is entitled with MyApp which was created in the previous blog and MyApp has subscription of MyPlan which was created in another blog. Suppose MyPlan has the limitation to serve 100 request per minute so if the request hit will exceed then the request will be rejected





    No comments:

    Post a Comment