Search code examples
restauthenticationauthorizationapi-gatewayapigee

apigee gateway, authn and authz: REST API calls another REST API


We are using apigee API gateway and exposing a REST endpoint. We understand apigee supports various options for securing the endpoint.

Our use case is that this REST endpoint should call another REST API provided by a software vendor. Software vendor have their own authentication and authorisation mechanism. Basically they have users and roles concept.

My question what is the best practise in this case? Should we authn and authz at gateway level Or at vendor REST API level or both ?

In any case, there is no escaping authn and authz at vendor REST API level.

Please suggest. Thank you.


Solution

  • In your case it first depends on whether you are simply presenting a proxy in front of the vendor API, or if your own API provides distinctive services and the vendor's API is only one of perhaps several "call outs" your middleware makes to offer its overall value. Another way to look at it is to ask: are the customers of your API endpoint uniquely your customers, or are they really just customers of the vendor's underlying API? You might choose to use your own layer of API client AuthN/AuthZ if this is uniquely your own API 'product' or you may choose to pass-through credentials directly to the vendor API if your endpoint is really just a thin and light abstraction. Net-net, it depends on your end-to-end use-case.