# Apigee

The Apigee connector allows you block requests from specific IP addresses. To make the integration work, you need to

1. register Google OAuth2 application
2. perform setup in Apigee instance

## Google OAuth2 application registration

### Application verification

In 2020 Google introduced *Application verification* If an app uses Google APIs to access Google users’ data. This makes it impossible to use the Appmixer Google modules in production without the verification process. Such a verification process has to be done by you.

Most of the Google modules need what Google marks as *Sensitive* or *Restricted Scope* in order to work. For example, the Gmail module needs <https://www.googleapis.com/auth/gmail.compose> scope to create a new email and <https://www.googleapis.com/auth/gmail.readonly> to get new emails.

#### Required scopes

* [www.googleapis.com/auth/cloud-platform](http://www.googleapis.com/auth/cloud-platform) (sensitive scope)

#### Required user roles

The connector requires the following IAM permission. This is the end-user permission needed to use the connector:

* **apigee.keyvaluemapentries.get**
* **apigee.keyvaluemapentries.create**
* **apigee.keyvaluemapentries.update**
* **apigee.environments.list** (Optional. Used to display a list of Apigee environments, allowing the user to easily select the desired environment in the Designer.)
* **apigee.keyvaluemaps.create** (Optional. If this permission is not granted, you will need to manually create a Key Value Map (KVM) in Apigee; see the [KVM storage](#configure-kvm-storage) section for instructions. If the permission is granted, the connector will automatically create the KVM.)

### Register Oauth2 app

Go to the Google developer console at <https://console.developers.google.com/> and create a new project.

![Developer Console](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-9f31a8002b8514bd88bfe72b3ee21427b0cfff4d%2Fgoogle-1.png?alt=media)

![New Project](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-26f2887a221e823e92f8867aaf206f2cc10aa840%2Fgoogle-2.png?alt=media)

![](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-a270b6d75f304ffe7d1a1ef887528bbe7edc0267%2Fgoogle-3.png?alt=media)

Next, enable the required APIs for your project. Go to you project APIs & Services > Enable APIs & service and click on the `Enable APIs and Services` button. Enable the following APIs:

* Apigee API: apigee.googleapis.com
* Api HUB API: apihub.googleapis.com
* Service Networking: servicenetworking.googleapis.com
* Compute Engine: compute.googleapis.com
* Cloud Key Management Service (KMS): cloudkms.googleapis.com

source: [Step 1: Enable required APIs](https://cloud.google.com/apigee/docs/api-platform/get-started/enable-apis)

### OAuth consent screen

The next step is the OAuth consent screen.

![](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-79edd0ba757ea4e246420e72b8b5aa4d065409b4%2Fgoogle-12.png?alt=media)

User Type - Internal vs External. The Internal user type allows you to use the Google modules without the app verification process mentioned at the beginning of this page. However, the modules will work only for accounts within your organization.

We are going to choose External for the purpose of this tutorial.

![](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-5fcbe8d9a577626d21a29938e7931605f30af01c%2Fgoogle-13.png?alt=media)

![](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-1e7839fbb1a9b10d725b746fae4ac09a6535ae17%2Fgoogle-14.png?alt=media)

On the next page, leave the scopes empty.

![](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-e7ed248cfb29c141c7faad5cef1df519fdca4194%2Fgoogle-15.png?alt=media)

You can add test users, but you can do this later. Only users added as test users will be able to authenticate!

![](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-349f876aa9c0d9bc9fb8ef4fee9f664d921678b8%2Fgoogle-16.png?alt=media)

Here is the Oauth consent screen configured. The app is in *the testing* mode, it is *external* (for users outside your organization). No more than 100 accounts (user cap) can be used with this application.

![](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-d6aac7291ea7f00c4b07819593aff3391240cf3d%2Fgoogle-17.png?alt=media)

### Client ID and Client Secret

We need a client ID and a client secret.

![](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-b37f8594c9329a773d1ec80aec35f67ac22cf449%2Fgoogle-18.png?alt=media)

Choose the *Web application* type and give it a name and authorize redirect URI.

![](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-894acf9f5e16501dc3a3509c67897adaadb2f600%2Fgoogle-19.png?alt=media)

For the purpose of this tutorial, we are going to use localhost:2200 which is the default port for the Appmixer API when running on localhost. If you are creating an Oauth application for your production/QA, the URI of your server will be here. The suffix /auth/google/callback will remain there.

You will get your Client ID and Client Secret.

![](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-7f9912c85220eb8f65f62a89027ebd78fe29e911%2Fgoogle-20.png?alt=media)

They have to be inserted into the Appmixer. You can use the [Backoffice](https://github.com/Appmixer-ai/appmixer-docs-gitbook/blob/app-registrations/api/service-configuration.md) to do that.

![Creating appmixer:apigee service configuration](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-467a5c07e2f1faf7a26e983a0381ee8d2fba7575%2Fapigeeimg_5.png?alt=media)

![Setting clientId and clientSecret](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-a46445c6754539aca917d9c918a53cabb61e9529%2Fimg_6.png?alt=media)

### Custom callback URL

By default the callback URL passed to Google is in the form of **\<your-api-url>/auth/apigee/callback**. However in some cases, you could need to pass a different callback URL. You can do this by inserting a callbackUrl value in the service configuration:

![Setting custom calback URL](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-3d98396b4c08c037cd4f933f816b2560d070e689%2Fimg_7.png?alt=media)

### Domain verification

In order to use Google API Webhooks, you have to verify your domain ownership. More about domain verification can be found [here](https://support.google.com/a/topic/9196?hl=en\&ref_topic=3540977). If you use the Appmixer Self-Managed package and you run Appmixer on your own servers using your custom domain, you can use [CNAME](https://support.google.com/a/answer/47283?hl=en\&ref_topic=29598) records to verify your domain ownership. Otherwise, if you are an Appmixer Hosted customer, you can use the [*HTML file method*](https://support.google.com/a/answer/63026?hl=en) to verify your Appmixer tenant domain (`api.YOUR_TENANT.appmixer.cloud`) at Google.

{% hint style="info" %}
When you use a Google Webhook component without a verified domain, you will receive the **Unauthorized WebHook callback channel error.**
{% endhint %}

First, open the Google developers console and your Appmixer project and follow the instructions in the next picture.

![Domain verification](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-04b01b66e856c25a4838a368a7ceb28b69e294f6%2Fgoogle-23.png?alt=media)

Add your Appmixer tenant API URL (`api.YOUR_TENANT.appmixer.cloud`) and continue to verify the domain ownership. Click 'Take me there' and then 'Add a property'.

![](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-cfc8e2b1f04d475f634b4a463cc0496045745bce%2Fgoogle-26.png?alt=media)

Again, use `api.YOUR_TENANT.appmixer.cloud`. Then download the HTML verification file.

![Download HTML verification file](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-bfc9ba46ffc85ee1d9df1d022116ac61b74d90d2%2Fgoogle-28.png?alt=media)

After you download your HTML verification file, upload it via the Appmixer Backoffice interface to the *Public Files* section on the left. When you are done you should see your file listed:

![Google verification file uploaded via Backoffice](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-d72f8f9236b257159e95bbba67f1ca3422b6c58a%2Fgoogle-29.png?alt=media)

Click the 'Verify' button to finish the verification process.

![](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-28a61778ac9cb0c16bcd47897d77d34b8f0279cc%2Fgoogle-30.png?alt=media)

Now, you can go back to the developer console and add the `api.YOUR_TENANT.appmixer.cloud` domain once more. But this time, because it's already verified, it will appear in the list of your domains.

The new domain has to be added to the *OAuth consent screen* as well.

![](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-87dcccd7f16815afb4674e89afa645a580ed1fd6%2Fgoogle-33.png?alt=media)

## Apigee setup

### Blocking IP Shared Flow Installation Guide

Shared flows in Apigee allow you to create reusable policies that can be applied across multiple API proxies. Blocking IP Shared Flow is a shared flow that blocks requests from specific IP addresses.

To install the Blocking IP Shared Flow and apply the Shared flow in any Proxy API, follow these steps:

Get the bundle:

{% file src="<https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-e7426b20f4991b71807ae09ab6336af07cca11da%2Fblocking-ip-shared-flow.zip?alt=media>" %}

Upload bundle Go to Apigee and navigate to the **Shared Flows** section, then click on the `Upload Bundle` icon to upload a new shared flow bundle.

![upload bundle](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-da5fe3c83de19a84c2363d2440eea9f8d1e3e885%2Fapigee01.png?alt=media)

Deploy the shared flow

![deploy](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-8c5a86c1dcda07781d98b6274fa3806ab69f3479%2Fapigee02.png?alt=media)

![deploy](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-ac4084bab77ce2e4ca88c201b7eed347436c48b6%2Fapigee03.png?alt=media)

Once deployed, go to you API proxy and add the shared flow to the preflow of the proxy endpoint.

* API Proxy > Open your proxy > DEVELOP
* Navigate to Policies and click on the plus icon to add a policy.
* Select the **Flow Callout**
* Enter any name and display name, for example `FC-blocking-ip-shared-flow`
* Select the shared flow deplyed in the previous step: `blocking-ip-shared-flow`
* hit **Create**

![create](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-c4c410302a8642d07481e49b0331e6462b647ec9%2Fimg_10.png?alt=media)

To apply the policy, go to Proxy Endpoints and select the PreFlow tab.

Click on the plus icon to add the policy step.

![add policy step](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-92365e235fd636b92de83ac8c0de3d419944abf6%2Fimg_11.png?alt=media)

Select the policy you just created: `FC-blocking-ip-shared-flow`

![add policy](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-618a6e928d9f9ea4def29f35a12abca14682c368%2Fimg_12.png?alt=media)

* Save the changes, deploy the API proxy and you are done.

### Configure KVM storage

The Blocking IP Shared Flow uses the Apigee Key Value Map (KVM) to store the blocked IP addresses.

to create a KVM, follow these steps:

* Go to Management > Environments > {env} > Key Value Maps
* click on the `Create Key Value Map` button
* name the KVM as `apigee-blocked-ips`

![create KVM](https://802996127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIAGKHlIqVKJe9agnFr14%2Fuploads%2Fgit-blob-7e67ad951a23b373399382f8b6327970bd275140%2Fimg_5.png?alt=media)