This guide walks you through installing and configuring the PlainID Apigee Authorizer, which enables policy-based authorization for your Apigee API proxies via PlainID's PDP. The process involves creating a Shared Flow, configuring it with your PDP endpoint, and connecting it to your API proxy's PreFlow.
Prerequisites
- An Apigee API proxy.
- An Apigee Environment that you can use to deploy your API proxies and Shared Flows.
- Permissions on Apigee to create and update Shared Flows, and connect them to API proxies.
- PlainID Apigee Authorizer, downloaded from the Platform.
Obtaining the Apigee Authorizer
Click here to learn how to create an Authorizer on the Platform.
Ensure that you follow these instructions closely, replace placeholder values with actual values, and verify that all the XML parameters, URLs, and other configuration details are accurate for your specific setup
Installing the Apigee Authorizer
Creating a Shared Flow
- Access the Apigee section through the Google Cloud console.
- Click on the Navigation Menu at the top left.
- Hover over Apigee and click on Shared Flows.
- Click Upload Bundle
- Select the PlainID Authorizer bundle you downloaded from the Platform.
- Click on Create.
It's recommended that you use a Shared Flow name which shares the Authorizer Name that was downloaded from the Platform for easier management.
Updating a Shared Flow
After the Shared Flow is created, the **Shared Flow Details **page appears.
- Click DEVELOP.
- Click call-pdp (under Policies).
- Update the
pdpEndpointV5property according to the following instructions:
- If using the Platform Cloud PDP:
Set thepdpEndpointV5to/api/runtime/5.0/decisions/permit-deny
- If using the PlainID Authorization Agent PDP (Customer hosted):
Set thepdpEndpointV5to/runtime/5.0/decisions/permit-deny
- If using the Platform Cloud PDP:
- Save the changes and deploy.
call-pdp.xml Samples
PDP as part of the Platform:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Javascript continueOnError="false" enabled="true" timeLimit="2000" name="call-pdp">
<DisplayName>call-pdp</DisplayName>
<IncludeURL>jsc://URI.js</IncludeURL>
<IncludeURL>jsc://parse-headers.js</IncludeURL>
<IncludeURL>jsc://parse-body.js</IncludeURL>
<ResourceURL>jsc://call-pdp.js</ResourceURL>
<Properties>
<Property name="pdpEndpointV5">/api/runtime/5.0/decisions/permit-deny</Property>
<Property name="authorizerVersion">1.3.4</Property>
</Properties>
</Javascript>
PDP as part of the PAA (Customer hosted):
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Javascript continueOnError="false" enabled="true" timeLimit="2000" name="call-pdp">
<DisplayName>call-pdp</DisplayName>
<IncludeURL>jsc://URI.js</IncludeURL>
<IncludeURL>jsc://parse-headers.js</IncludeURL>
<IncludeURL>jsc://parse-body.js</IncludeURL>
<ResourceURL>jsc://call-pdp.js</ResourceURL>
<Properties>
<Property name="pdpEndpointV5">/runtime/5.0/decisions/permit-deny</Property>
<Property name="authorizerVersion">1.3.4</Property>
</Properties>
</Javascript>
Connecting the Shared Flow to an API Proxy:
- In the left pane on the Apigee Admin console, select API Proxies.
- Select the API Proxy to protect.
- Go to the Develop tab.
- In Policies click Add Policy.
- Select the
Flow Calloutpolicy. - Name it and give it a display name (e.g., FC-authz-apigee).
- Choose the Shared Flow from the previous step.
- Click Create.
Update the Policy Configuration
- Select the policy you just created.
- In the code editor, update the XML
Parameterssection.
XML Code for Adding a Policy to the API Proxy PreFlow:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout continueOnError="false" enabled="true" name="FC-3ch0-1.3.4">
<DisplayName>FC-3ch0-1.3.4</DisplayName>
<Parameters>
<Parameter name="pdpUrl" value="https://acme-corp-finance.us1.plainid.io"/>
<Parameter name="clientId" value="PQ2OUNHDCCCCQ9CDKU13"/>
<Parameter name="clientSecret" value="vm4jMLCCCCCCsM5N9a46ATYc1InHO31W7537EEEEE"/>
<Parameter name="authorizerId" value="CCsM5N9a46ATYc1InHO3"/>
<Parameter name="headerKeysCaseHandling" value="uppercase"/>
<Parameter name="headerValuesCaseHandling" value="uppercase"/>
<Parameter name="ignoreHeadersValueTransformation" value="Authorization"/>
<Parameter name="runtimeFineTune">{"includeIdentity": "true"}</Parameter>
</Parameters>
<SharedFlowBundle>3ch0-authz-1.3.4</SharedFlowBundle>
</FlowCallout>
Configuration Parameters Details
| Parameter Name | Description | Example |
|---|---|---|
| pdpUrl | URL of the component installed in the Platform | https://acme-corp-finance.us1.plainid.io |
| clientId | The Client ID from the corresponding environment, application, and scope in PlainID | PQ2OUNHDCCCCQ9CDKU13 |
| clientSecret | The Client Secret from the corresponding environment, application, and scope in PlainID | vm4jMLCCCCCCsM5N9a46ATYc1InHO31W7537EEEEE |
| authorizerId | The Authorizer ID from the API Authorizers tab in your environment | APJJIUH1BFLOWOW |
Optional Header Parameters
| Parameter Name | Description | Default | Options |
|---|---|---|---|
| headerKeysCaseHandling | Determines whether the authorizer should alter the header keys case. | lowercase | Value 1: uppercase Value 2: lowercase |
| headerValuesCaseHandling | Determines if changing the key name, the value, or both. | preserveCase | Value 1: uppercase Value 2: lowercase Value 3: preserveCase |
| ignoreHeadersValueTransformation | Determines which headers to ignore when handling the case. | Authorization |
Example: "Authorization, header1, header2" |
| runtimeFineTune | This parameter can be leveraged to fine-tune the PDP calculation with additional supported request properties. Refer to our Authorization APIs documentation for more details on potential properties. This parameter should be passed as a JSON string with the relevant PDP properties and values. | If a config key is not added, the default is an empty parameter: "meta": {"runtimeFineTune": {} } |
Example 1:{ ..."meta": {"runtimeFineTune" : {"includeIdentity": "true",}}}Example 2: {"entityAttributes": {"region": ["US"]},"combinedMultiValue": true} |
JWT Propagation
Prerequisites
The Runtime Scope must have JWT response signing configured (private key, audience, expiration). Otherwise, the Runtime returns a standard JSON response and the Authorizer reverts to the standard flow.
When PROPAGATE_JWT is set to true, the Authorizer requests JWT responses from the PDP by sending accessTokenFormat: "JWT" in the request body.
The Authorizer supports both JWT wrapper responses and standard JSON responses, and automatically detects the response format. If the response contains token and code fields, the JWT flow is used and code === 200 results in an Allow decision. Otherwise, the Authorizer falls back to the standard flow using data.result === "PERMIT".
This behavior is fully backward compatible and does not affect existing integrations.
When authorization is allowed and RESPONSE_JWT_CONTEXT_KEY is configured, the JWT is added to the Apigee flow variables using the configured key, and can be referenced in downstream policies.
| Parameter Name | Description | Default | Options |
|---|---|---|---|
PROPAGATE_JWT |
Requests JWT-format responses from the PDP and propagates the JWT in the Apigee flow variables on Allow. When set to true, the Authorizer sends accessTokenFormat: "JWT" in the PDP request body. |
false |
Boolean string: true or false |
RESPONSE_JWT_CONTEXT_KEY |
Defines the key used to store the propagated JWT in the Apigee flow variables. | jwtToken |
Optional. When configured, the JWT is added to flow variables on Allow decisions and can be referenced downstream as context.getVariable(<key>). |
Adding the Policy to the PreFlow
- Under Proxy endpoints, select
PreFlow. - Click Add Policy Step.
- Select the Policy you created in the previous step.
- Click Add.
- Save and Deploy the changes.
Example of Modified XML Code with Added Parameters
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout continueOnError="false" enabled="true" name="Flow-Callout-PlainID-AuthZ">
<DisplayName>Flow-Callout-PlainID-AuthZ</DisplayName>
<FaultRules/>
<Properties/>
<SharedFlowBundle>shared-flow-plainid-authz</SharedFlowBundle>
<Parameters>
<Parameter name="pdpUrl" value="https://acme-financing.us1.plainid.io"/>
<Parameter name="clientId" value="PABCDYDO123J1T36MRMU"/>
<Parameter name="clientSecret" value="IVJqT21234wfhzqAbcdQpogn1234568zlWVveESzH"/>
<Parameter name="headerKeysCaseHandling" value="lowercase"/>
<Parameter name="headerValuesCaseHandling" value="preserveCase"/>
<Parameter name="ignoreHeadersValueTransformation" value="Authorization"/>
<Parameter name="runtimeFineTune">{"includeIdentity": "true"}</Parameter>
<Parameter name="PROPAGATE_JWT" value="true"/>
<Parameter name="RESPONSE_JWT_CONTEXT_KEY" value="jwtToken"/>
</Parameters>
</FlowCallout>
Once these steps are completed, the requests to the API proxy will be authorized by PlainID through the Authorizer.
Storing Settings and Credentials
You can use the Apigee Key Value Maps to securely store different configurations/Attributes (clientSecret, clientId, etc.).