Last-mile security

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

Last-mile security protects the backend services that are proxied by API Services. The primary goal of last-mile security is to prevent so-called "end-run" attacks, where an app developer discovers the URL for a backend service and bypasses any API proxies to directly hit the backend URL.

Following are the primary options for setting up last-mile security:

  • Client TLS/SSL
  • Outbound authentication

Client TLS/SSL

The primary mechanism for securing the last-mile is client TLS/SSL, which is also known as 'mutual authentication'.

See Options for configuring TLS.

Outbound authentication

Last-mile security can also be enforced by requiring the API proxy to present a credential to the backend service.

For example, you may wish to have an API proxy present an API key to your backend service. You could also have an API proxy obtain and present a OAuth client credentials access token.

API key

API keys can be applied to outbound requests from API proxies to backend services. This assumes that the backend service is an API that is capable of issuing and validating API keys.

If you do set up an API proxy to present an API key on outbound requests, you must store the API key in a place where it can be retrieved by the API proxy at runtime. One location available for storing API keys is a key/value map. See Key Value Map Operations policy.

You can use the AssignMessage policy type to add the API key as an HTTP header, query parameter, or payload element to the outbound request. See Assign Message policy.

OAuth client credentials

OAuth client credentials can be used to add a layer of revocability to API keys. If your backend services support OAuth client credentials, you can configure an API proxy to present a client credentials access token for each request.

The API proxy must be configured to perform a callout to obtain the access token from your token endpoint. The API proxy is also required to cache the access token, to prevent it from obtaining a new access token for each call.

A number of approaches can be used to implement outbound client credentials.

You can modify this sample to call your token endpoint to obtain an access token. This sample uses JavaScript to attach the token to the outbound request as an HTTP Authorization header. You could also use Assign Message policy for this purpose.

SAML

The GenerateSAMLAssertion policy type can be used to attach a SAML assertion to an outbound XML request message, from the API proxy to a backend service. This enables the backend service to perform authentication and authorization on requests received from API proxies.

See SAML Assertion policies.