Contents x
      Installation
      • 01 Sep 2024
      • 3 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Contents

      Installation

      • Updated on 01 Sep 2024
      • 3 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Article summary

      Prerequisites

      • An Apigee API proxy.
      • An Apigee Environment that you can use to deploy your API proxies and Shared Flows.
      • Permissions on Apigee to create and update Shared Flows, and connect them to API proxies.
      • PlainID Apigee Authorizer, downloaded from the Platform.

      Obtaining the Apigee Authorizer

      Click here to learn how to create an Authorizer on the Platform.

      Important

      Ensure that you follow these instructions closely, replace placeholder values with actual values, and verify that all the XML parameters, URLs, and other configuration details are accurate for your specific setup

      Installing the Apigee Authorizer

      Creating a Shared Flow

      1. Access the Apigee section through the Google Cloud console.
      2. Click on the Navigation Menu at the top left.
      3. Hover over Apigee and click on Shared Flows.
      4. Click Upload Bundle
      5. Select the PlainID Authorizer bundle you downloaded from the Platform.
      6. Click on Create.

      It's recommended that you use a Shared Flow name which shares the Authorizer Name that was downloaded from the Platform for easier management.

      Updating a Shared Flow

      After the Shared Flow is created, the **Shared Flow Details **page appears.

      1. Click DEVELOP.
      2. Click call-pdp (under Policies).
      3. Update the pdpEndpointV5 property according to the following instructions:
         
        • If using the Platform Cloud PDP:
          Set the pdpEndpointV5 to /api/runtime/5.0/decisions/permit-deny

        • If using the PlainID Authorization Agent PDP (Customer hosted):
          Set the pdpEndpointV5 to /runtime/5.0/decisions/permit-deny
      4. Save the changes and deploy.

      call-pdp.xml Samples

      PDP as part of the Platform:

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Javascript continueOnError="false" enabled="true" timeLimit="2000" name="call-pdp">
  <DisplayName>call-pdp</DisplayName>
  <IncludeURL>jsc://URI.js</IncludeURL>
  <IncludeURL>jsc://parse-headers.js</IncludeURL>
  <IncludeURL>jsc://parse-body.js</IncludeURL>
  <ResourceURL>jsc://call-pdp.js</ResourceURL>
  <Properties>
    <Property name="pdpEndpointV5">/api/runtime/5.0/decisions/permit-deny</Property>
    <Property name="authorizerVersion">1.3.4</Property>
  </Properties>
</Javascript>

       
      PDP as part of the PAA (Customer hosted):

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Javascript continueOnError="false" enabled="true" timeLimit="2000" name="call-pdp">
  <DisplayName>call-pdp</DisplayName>
  <IncludeURL>jsc://URI.js</IncludeURL>
  <IncludeURL>jsc://parse-headers.js</IncludeURL>
  <IncludeURL>jsc://parse-body.js</IncludeURL>
  <ResourceURL>jsc://call-pdp.js</ResourceURL>
  <Properties>
    <Property name="pdpEndpointV5">/runtime/5.0/decisions/permit-deny</Property>
    <Property name="authorizerVersion">1.3.4</Property>
  </Properties>
</Javascript>

      Connecting the Shared Flow to an API Proxy:

      1. In the left pane on the Apigee Admin console, select API Proxies.
      2. Select the API Proxy to protect.
      3. Go to the Develop tab.
      4. In Policies click Add Policy.
      5. Select the Flow Callout policy.
      6. Name it and give it a display name (e.g., FC-authz-apigee).
      7. Choose the Shared Flow from the previous step.
      8. Click Create.

      Update the Policy Configuration

      1. Select the policy you just created.
      2. In the code editor, update the XML Parameters section.

      XML Code for Adding a Policy to the API Proxy PreFlow:

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout continueOnError="false" enabled="true" name="FC-3ch0-1.3.4">
  <DisplayName>FC-3ch0-1.3.4</DisplayName>
  <Parameters>
    <Parameter name="pdpUrl" value="https://acme-corp-finance.us1.plainid.io"/>
    <Parameter name="clientId" value="PQ2OUNHDCCCCQ9CDKU13"/>
    <Parameter name="clientSecret" value="vm4jMLCCCCCCsM5N9a46ATYc1InHO31W7537EEEEE"/>
    <Parameter name="authorizerId" value="CCsM5N9a46ATYc1InHO3"/>
    <Parameter name="headerKeysCaseHandling" value="uppercase"/>
    <Parameter name="headerValuesCaseHandling" value="uppercase"/>
    <Parameter name="ignoreHeadersValueTransformation" value="Authorization"/>
   <Parameter name="runtimeFineTune">{"includeIdentity": "true"}</Parameter>
  </Parameters>
  <SharedFlowBundle>3ch0-authz-1.3.4</SharedFlowBundle>
</FlowCallout>

      Configuration Parameters Details

      Parameter NameDescriptionExample
      pdpUrlURL of the component installed in the Platformhttps://acme-corp-finance.us1.plainid.io
      clientIdThe Client ID from the corresponding environment, application, and scope in PlainIDPQ2OUNHDCCCCQ9CDKU13
      clientSecretThe Client Secret from the corresponding environment, application, and scope in PlainIDvm4jMLCCCCCCsM5N9a46ATYc1InHO31W7537EEEEE
      authorizerIdThe Authorizer ID from the API Authorizers tab in your environmentAPJJIUH1BFLOWOW

      Optional Header Parameters

      Parameter NameDescriptionDefaultOptions
      headerKeysCaseHandlingDetermines whether the authorizer should alter the header keys case.lowercaseValue 1: uppercase

      Value 2: lowercase
      headerValuesCaseHandlingDetermines if changing the key name, the value, or both.preserveCaseValue 1: uppercase

      Value 2: lowercase

      Value 3: preserveCase
      ignoreHeadersValueTransformationDetermines which headers to ignore when handling the case.AuthorizationExample: "Authorization, header1, header2"
      runtimeFineTuneThis parameter can be leveraged to fine-tune the PDP calculation with additional supported request properties. Refer to our Authorization APIs documentation for more details on potential properties. This parameter should be passed as a JSON string with the relevant PDP properties and values.If a config key is not added, the default is an empty parameter:
      "meta": {
      "runtimeFineTune": {}
      }      		Example 1:
      {
      ...
      "meta": {
      "runtimeFineTune" : {
      "includeIdentity": "true",
      }
      }
      }

      Example 2:
      {"entityAttributes": {"region": ["US"]},"combinedMultiValue": true}

      Adding the Policy to the PreFlow

      1. Under Proxy endpoints, select PreFlow.
      2. Click Add Policy Step.
      3. Select the Policy you created in the previous step.
      4. Click Add.
      5. Save and Deploy the changes.

      Example of Modified XML Code with Added Parameters

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout continueOnError="false" enabled="true" name="Flow-Callout-PlainID-AuthZ">
    <DisplayName>Flow-Callout-PlainID-AuthZ</DisplayName>
    <FaultRules/>
    <Properties/>
    <SharedFlowBundle>shared-flow-plainid-authz</SharedFlowBundle>
    <Parameters>
        <Parameter name="pdpUrl" value="https://acme-financing.us1.plainid.io"/>
        <Parameter name="clientId" value="PABCDYDO123J1T36MRMU"/>
        <Parameter name="clientSecret" value="IVJqT21234wfhzqAbcdQpogn1234568zlWVveESzH"/>
        <Parameter name="headerKeysCaseHandling" value="lowercase"/>
       <Parameter name="headerValuesCaseHandling" value="preserveCase"/>
       <Parameter name="ignoreHeadersValue Transformation" value="Authorization"/>
       <Parameter name="runtimeFineTune">{"includeIdentity": "true"}</Parameter>
    </Parameters>
</FlowCallout>

      Once these steps are completed, the requests to the API proxy will be authorized by PlainID through the Authorizer.

      Storing Settings and Credentials

      You can use the Apigee Key Value Maps to securely store different configurations/Attributes (clientSecret, clientId, etc.).

      Was this article helpful?
      What's Next