Apigee

The Apigee connector allows you block requests from specific IP addresses. To make the integration work, you need to

  1. register Google OAuth2 application

  2. perform setup in Apigee instance

Google OAuth2 application registration

Application verification

In 2020 Google introduced Application verification If an app uses Google APIs to access Google users’ data. This makes it impossible to use the Appmixer Google modules in production without the verification process. Such a verification process has to be done by you.

Most of the Google modules need what Google marks as Sensitive or Restricted Scope in order to work. For example, the Gmail module needs https://www.googleapis.com/auth/gmail.compose scope to create a new email and https://www.googleapis.com/auth/gmail.readonly to get new emails.

Required scopes

  • www.googleapis.com/auth/cloud-platform (sensitive scope)

Required user roles

The connector requires the following IAM permission. This is the end-user permission needed to use the connector:

  • apigee.keyvaluemapentries.get

  • apigee.keyvaluemapentries.create

  • apigee.keyvaluemapentries.update

  • apigee.environments.list (Optional. Used to display a list of Apigee environments, allowing the user to easily select the desired environment in the Designer.)

  • apigee.keyvaluemaps.create (Optional. If this permission is not granted, you will need to manually create a Key Value Map (KVM) in Apigee; see the KVM storage section for instructions. If the permission is granted, the connector will automatically create the KVM.)

Register Oauth2 app

Go to the Google developer console at https://console.developers.google.com/ and create a new project.

Developer Console
New Project

Next, enable the required APIs for your project. Go to you project APIs & Services > Enable APIs & service and click on the Enable APIs and Services button. Enable the following APIs:

  • Apigee API: apigee.googleapis.com

  • Api HUB API: apihub.googleapis.com

  • Service Networking: servicenetworking.googleapis.com

  • Compute Engine: compute.googleapis.com

  • Cloud Key Management Service (KMS): cloudkms.googleapis.com

source: Step 1: Enable required APIs

OAuth consent screen

The next step is the OAuth consent screen.

User Type - Internal vs External. The Internal user type allows you to use the Google modules without the app verification process mentioned at the beginning of this page. However, the modules will work only for accounts within your organization.

We are going to choose External for the purpose of this tutorial.

On the next page, leave the scopes empty.

You can add test users, but you can do this later. Only users added as test users will be able to authenticate!

Here is the Oauth consent screen configured. The app is in the testing mode, it is external (for users outside your organization). No more than 100 accounts (user cap) can be used with this application.

Client ID and Client Secret

We need a client ID and a client secret.

Choose the Web application type and give it a name and authorize redirect URI.

For the purpose of this tutorial, we are going to use localhost:2200 which is the default port for the Appmixer API when running on localhost. If you are creating an Oauth application for your production/QA, the URI of your server will be here. The suffix /auth/google/callback will remain there.

You will get your Client ID and Client Secret.

They have to be inserted into the Appmixer. You can use the Backoffice to do that.

Creating appmixer:apigee service configuration
Setting clientId and clientSecret

Custom callback URL

By default the callback URL passed to Google is in the form of <your-api-url>/auth/apigee/callback. However in some cases, you could need to pass a different callback URL. You can do this by inserting a callbackUrl value in the service configuration:

Setting custom calback URL

Domain verification

In order to use Google API Webhooks, you have to verify your domain ownership. More about domain verification can be found here. If you use the Appmixer Self-Managed package and you run Appmixer on your own servers using your custom domain, you can use CNAME records to verify your domain ownership. Otherwise, if you are an Appmixer Hosted customer, you can use the HTML file method to verify your Appmixer tenant domain (api.YOUR_TENANT.appmixer.cloud) at Google.

When you use a Google Webhook component without a verified domain, you will receive the Unauthorized WebHook callback channel error.

First, open the Google developers console and your Appmixer project and follow the instructions in the next picture.

Domain verification

Add your Appmixer tenant API URL (api.YOUR_TENANT.appmixer.cloud) and continue to verify the domain ownership. Click 'Take me there' and then 'Add a property'.

Again, use api.YOUR_TENANT.appmixer.cloud. Then download the HTML verification file.

Download HTML verification file

After you download your HTML verification file, upload it via the Appmixer Backoffice interface to the Public Files section on the left. When you are done you should see your file listed:

Google verification file uploaded via Backoffice

Click the 'Verify' button to finish the verification process.

Now, you can go back to the developer console and add the api.YOUR_TENANT.appmixer.cloud domain once more. But this time, because it's already verified, it will appear in the list of your domains.

The new domain has to be added to the OAuth consent screen as well.

Apigee setup

Blocking IP Shared Flow Installation Guide

Shared flows in Apigee allow you to create reusable policies that can be applied across multiple API proxies. Blocking IP Shared Flow is a shared flow that blocks requests from specific IP addresses.

To install the Blocking IP Shared Flow and apply the Shared flow in any Proxy API, follow these steps:

Get the bundle:

4KB
blocking-ip-shared-flow.zip
archive

Upload bundle Go to Apigee and navigate to the Shared Flows section, then click on the Upload Bundle icon to upload a new shared flow bundle.

upload bundle

Deploy the shared flow

deploy
deploy

Once deployed, go to you API proxy and add the shared flow to the preflow of the proxy endpoint.

  • API Proxy > Open your proxy > DEVELOP

  • Navigate to Policies and click on the plus icon to add a policy.

  • Select the Flow Callout

  • Enter any name and display name, for example FC-blocking-ip-shared-flow

  • Select the shared flow deplyed in the previous step: blocking-ip-shared-flow

  • hit Create

create

To apply the policy, go to Proxy Endpoints and select the PreFlow tab.

Click on the plus icon to add the policy step.

add policy step

Select the policy you just created: FC-blocking-ip-shared-flow

add policy

  • Save the changes, deploy the API proxy and you are done.

Configure KVM storage

The Blocking IP Shared Flow uses the Apigee Key Value Map (KVM) to store the blocked IP addresses.

to create a KVM, follow these steps:

  • Go to Management > Environments > {env} > Key Value Maps

  • click on the Create Key Value Map button

  • name the KVM as apigee-blocked-ips

create KVM
PreviousAirtableNextAsana

Last updated

Was this helpful?