Installation

  • Published on Sep 1, 2024
  • 3 minute(s) read
Prev Next

Prerequisites

  • An Apigee API proxy.
  • An Apigee Environment that you can use to deploy your API proxies and Shared Flows.
  • Permissions on Apigee to create and update Shared Flows, and connect them to API proxies.
  • PlainID Apigee Authorizer, downloaded from the Platform.

Obtaining the Apigee Authorizer

Click here to learn how to create an Authorizer on the Platform.

Important

Ensure that you follow these instructions closely, replace placeholder values with actual values, and verify that all the XML parameters, URLs, and other configuration details are accurate for your specific setup

Installing the Apigee Authorizer

Creating a Shared Flow

  1. Access the Apigee section through the Google Cloud console.
  2. Click on the Navigation Menu at the top left.
  3. Hover over Apigee and click on Shared Flows.
  4. Click Upload Bundle
  5. Select the PlainID Authorizer bundle you downloaded from the Platform.
  6. Click on Create.

It's recommended that you use a Shared Flow name which shares the Authorizer Name that was downloaded from the Platform for easier management.

Updating a Shared Flow

After the Shared Flow is created, the **Shared Flow Details **page appears.

  1. Click DEVELOP.
  2. Click call-pdp (under Policies).
  3. Update the pdpEndpointV5 property according to the following instructions:
     
    • If using the Platform Cloud PDP:
      Set the pdpEndpointV5 to /api/runtime/5.0/decisions/permit-deny

    • If using the PlainID Authorization Agent PDP (Customer hosted):
      Set the pdpEndpointV5 to /runtime/5.0/decisions/permit-deny
  4. Save the changes and deploy.

call-pdp.xml Samples

PDP as part of the Platform:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Javascript continueOnError="false" enabled="true" timeLimit="2000" name="call-pdp">
  <DisplayName>call-pdp</DisplayName>
  <IncludeURL>jsc://URI.js</IncludeURL>
  <IncludeURL>jsc://parse-headers.js</IncludeURL>
  <IncludeURL>jsc://parse-body.js</IncludeURL>
  <ResourceURL>jsc://call-pdp.js</ResourceURL>
  <Properties>
    <Property name="pdpEndpointV5">/api/runtime/5.0/decisions/permit-deny</Property>
    <Property name="authorizerVersion">1.3.4</Property>
  </Properties>
</Javascript>

 
PDP as part of the PAA (Customer hosted):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Javascript continueOnError="false" enabled="true" timeLimit="2000" name="call-pdp">
  <DisplayName>call-pdp</DisplayName>
  <IncludeURL>jsc://URI.js</IncludeURL>
  <IncludeURL>jsc://parse-headers.js</IncludeURL>
  <IncludeURL>jsc://parse-body.js</IncludeURL>
  <ResourceURL>jsc://call-pdp.js</ResourceURL>
  <Properties>
    <Property name="pdpEndpointV5">/runtime/5.0/decisions/permit-deny</Property>
    <Property name="authorizerVersion">1.3.4</Property>
  </Properties>
</Javascript>

Connecting the Shared Flow to an API Proxy:

  1. In the left pane on the Apigee Admin console, select API Proxies.
  2. Select the API Proxy to protect.
  3. Go to the Develop tab.
  4. In Policies click Add Policy.
  5. Select the Flow Callout policy.
  6. Name it and give it a display name (e.g., FC-authz-apigee).
  7. Choose the Shared Flow from the previous step.
  8. Click Create.

Update the Policy Configuration

  1. Select the policy you just created.
  2. In the code editor, update the XML Parameters section.

XML Code for Adding a Policy to the API Proxy PreFlow:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout continueOnError="false" enabled="true" name="FC-3ch0-1.3.4">
  <DisplayName>FC-3ch0-1.3.4</DisplayName>
  <Parameters>
    <Parameter name="pdpUrl" value="https://acme-corp-finance.us1.plainid.io"/>
    <Parameter name="clientId" value="PQ2OUNHDCCCCQ9CDKU13"/>
    <Parameter name="clientSecret" value="vm4jMLCCCCCCsM5N9a46ATYc1InHO31W7537EEEEE"/>
    <Parameter name="authorizerId" value="CCsM5N9a46ATYc1InHO3"/>
    <Parameter name="headerKeysCaseHandling" value="uppercase"/>
    <Parameter name="headerValuesCaseHandling" value="uppercase"/>
    <Parameter name="ignoreHeadersValueTransformation" value="Authorization"/>
   <Parameter name="runtimeFineTune">{"includeIdentity": "true"}</Parameter>
  </Parameters>
  <SharedFlowBundle>3ch0-authz-1.3.4</SharedFlowBundle>
</FlowCallout>

Configuration Parameters Details

Parameter Name Description Example
pdpUrl URL of the component installed in the Platform https://acme-corp-finance.us1.plainid.io
clientId The Client ID from the corresponding environment, application, and scope in PlainID PQ2OUNHDCCCCQ9CDKU13
clientSecret The Client Secret from the corresponding environment, application, and scope in PlainID vm4jMLCCCCCCsM5N9a46ATYc1InHO31W7537EEEEE
authorizerId The Authorizer ID from the API Authorizers tab in your environment APJJIUH1BFLOWOW

Optional Header Parameters

Parameter Name Description Default Options
headerKeysCaseHandling Determines whether the authorizer should alter the header keys case. lowercase Value 1: uppercase

Value 2: lowercase
headerValuesCaseHandling Determines if changing the key name, the value, or both. preserveCase Value 1: uppercase

Value 2: lowercase

Value 3: preserveCase
ignoreHeadersValueTransformation Determines which headers to ignore when handling the case. Authorization Example: "Authorization, header1, header2"
runtimeFineTune This parameter can be leveraged to fine-tune the PDP calculation with additional supported request properties. Refer to our Authorization APIs documentation for more details on potential properties. This parameter should be passed as a JSON string with the relevant PDP properties and values. If a config key is not added, the default is an empty parameter:
"meta": {
"runtimeFineTune": {}
}		 Example 1:
{
...
"meta": {
"runtimeFineTune" : {
"includeIdentity": "true",
}
}
}

Example 2:
{"entityAttributes": {"region": ["US"]},"combinedMultiValue": true}

Adding the Policy to the PreFlow

  1. Under Proxy endpoints, select PreFlow.
  2. Click Add Policy Step.
  3. Select the Policy you created in the previous step.
  4. Click Add.
  5. Save and Deploy the changes.

Example of Modified XML Code with Added Parameters

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout continueOnError="false" enabled="true" name="Flow-Callout-PlainID-AuthZ">
    <DisplayName>Flow-Callout-PlainID-AuthZ</DisplayName>
    <FaultRules/>
    <Properties/>
    <SharedFlowBundle>shared-flow-plainid-authz</SharedFlowBundle>
    <Parameters>
        <Parameter name="pdpUrl" value="https://acme-financing.us1.plainid.io"/>
        <Parameter name="clientId" value="PABCDYDO123J1T36MRMU"/>
        <Parameter name="clientSecret" value="IVJqT21234wfhzqAbcdQpogn1234568zlWVveESzH"/>
        <Parameter name="headerKeysCaseHandling" value="lowercase"/>
       <Parameter name="headerValuesCaseHandling" value="preserveCase"/>
       <Parameter name="ignoreHeadersValue Transformation" value="Authorization"/>
       <Parameter name="runtimeFineTune">{"includeIdentity": "true"}</Parameter>
    </Parameters>
</FlowCallout>

Once these steps are completed, the requests to the API proxy will be authorized by PlainID through the Authorizer.

Storing Settings and Credentials

You can use the Apigee Key Value Maps to securely store different configurations/Attributes (clientSecret, clientId, etc.).