0

I'm trying to implement a way to restrict the usage of a token only once. After its first use, you must not be able to use it alright by tagging the token on its state with UsedAlready tag and Unused if its not yet used. How do I do that in apigee?. Currently I have the following condition to determine whether if the Token is used already or not.

 <Step>
    <Condition>(request.queryparam.state NotEquals accesstoken.state)</Condition>
    <Name>RF-TokenAlreadyUsed</Name>
</Step>

Looking on my Tracetool though, apigee is throwing out that my accesstoken.state doesn't contain anything, why is that though?. My API proxy and policy for saving a default state on token creation seems to work fine anyway.

PS: Also I did the almost the same thing but using a non existing variable instead using the attribute to associate a token to a particular account. But doing the same thing with state with what I did with an attribute doesnt work. What am I doing wrong though?, am I using the state parameter of apigee right? , cuz state parameter is an optional parameter like scope and I want to make use of the state for token accesibility.

iamjoshua
  • 1,157
  • 3
  • 16
  • 33

3 Answers3

0

Turns out I was using the state wrong. A state should function like this as stated in this thread.

So in order for me to be able to do what I want to do is that I should add another attribute to the token so that I would know if the token is already used or not. It's not that I havent done a similar thing before using an attribute, rather I thought the use of state is for token accessibility.

iamjoshua
  • 1,157
  • 3
  • 16
  • 33
0

Can you explain me why are you more worried about the token state? Until unless you store the token in cache, you will get a new token for your every request. And you have a built-in policy in APIGEE that validates your token.

Even if you are storing the token in cache, you can set the expiry time for your token.

More over, the cache is used to reduce the traffic and reuse the token.

So I couldn't understand your objective, can you explain more.

user2462133
  • 64
  • 3
  • 7
0

@user2462133

To answer your question.

We want the token1 to be valid only only once and after that be invalid for next payment alright . But this token1 will be used for generating a new token2 to access the payment API again as the previously made token is for binding the account on first use. This new token2 will then have another state which will only be valid only once and after successful transaction, it will not be valid for another transaction again even if the token is not yet expired. For another payment, token1 will be called again and check if its still a valid token, and if so, create another token2 for another payment. But if this token1 is already expired. Then the user would have to bind his account again to our service by loggin in to his account (i.e facebook), do the OTP, etc. To be able to gain another token1 that will then only be used once for payment but multiple times for validating whether if the account is binded to our service or not.

iamjoshua
  • 1,157
  • 3
  • 16
  • 33