├── .gitignore
├── LICENSE
├── README.md
└── SecurityJam
    ├── Lab 1 Traffic Management - Throttle APIs
        ├── README.md
        ├── apiproxy
        │   └── Mock-Target-API.zip
        └── media
        │   ├── image_0.png
        │   ├── image_1.png
        │   ├── image_10.png
        │   ├── image_11.png
        │   ├── image_12.png
        │   ├── image_13.png
        │   ├── image_14.png
        │   ├── image_15.png
        │   ├── image_2.png
        │   ├── image_3.png
        │   ├── image_4.png
        │   ├── image_5.png
        │   ├── image_6.png
        │   ├── image_7.png
        │   ├── image_8.png
        │   └── image_9.png
    ├── Lab 2 - Threat Protection
        ├── README.md
        └── media
        │   ├── add-json-header.png
        │   ├── add-policy.png
        │   ├── add-regular-expression-protection-policy.png
        │   ├── add-xml-header.png
        │   ├── add-xml-threat-policy.png
        │   ├── error-response-reg-exp-trace.png
        │   ├── error-response-trace.png
        │   ├── error-response-xml-threat-trace.png
        │   ├── error-response-xml-threat.png
        │   ├── error-response.png
        │   ├── image_5.png
        │   ├── image_9.png
        │   ├── save-changes-2.png
        │   ├── save-changes.png
        │   ├── select-flow-for-policy.png
        │   ├── select-ip-flow-for-reg-exp.png
        │   ├── select-json-flow-for-policy.png
        │   ├── select-policy-config.png
        │   ├── select-regular-expression-protection-policy.png
        │   ├── select-xml-threat-policy-config.png
        │   ├── send-sql-injection.png
        │   ├── sql-injection-blocked.png
        │   ├── start-trace.png
        │   ├── start-tracev2.png
        │   ├── success-response-trace.png
        │   ├── success-response-xml-threat-trace.png
        │   ├── success-response-xml-threat.png
        │   ├── success-response.png
        │   └── test-sql-injection.png
    ├── Lab 3 - Securing APIs with OAuth2 Client Credentials
        ├── README.md
        ├── media
        │   ├── image_0.png
        │   ├── image_1.png
        │   ├── image_10.png
        │   ├── image_11.png
        │   ├── image_12.png
        │   ├── image_13.png
        │   ├── image_14.png
        │   ├── image_15.png
        │   ├── image_16.png
        │   ├── image_16a.png
        │   ├── image_16b.png
        │   ├── image_16c.png
        │   ├── image_17.png
        │   ├── image_18.png
        │   ├── image_19.png
        │   ├── image_2.png
        │   ├── image_20.png
        │   ├── image_21.png
        │   ├── image_22.png
        │   ├── image_22a.png
        │   ├── image_22b.png
        │   ├── image_22c.png
        │   ├── image_23.png
        │   ├── image_24.png
        │   ├── image_25.png
        │   ├── image_3.png
        │   ├── image_4.png
        │   ├── image_5.png
        │   ├── image_6.png
        │   ├── image_7.png
        │   ├── image_8.png
        │   └── image_9.png
        └── oauth.zip
    ├── Lab 4 - JWT
        ├── JWT.zip
        ├── Readme.md
        └── media
        │   ├── image_0.png
        │   ├── image_1.png
        │   ├── image_10.png
        │   ├── image_11.png
        │   ├── image_2.png
        │   ├── image_3.png
        │   ├── image_3a.png
        │   ├── image_3b.png
        │   ├── image_3c.png
        │   ├── image_4.png
        │   ├── image_5.png
        │   ├── image_6.png
        │   ├── image_7.png
        │   ├── image_8.png
        │   └── image_9.png
    ├── Lab 5 - External OAuth Token using Okta
        ├── README.md
        ├── media
        │   ├── AddAPIProduct.png
        │   ├── AddAPIProductDetails.png
        │   ├── AddApp.png
        │   ├── AddAppDetails.png
        │   ├── AddDeveloper.png
        │   ├── AddDeveloperDetails.png
        │   ├── AddOAuthPolicy.png
        │   ├── AddOktaIntegrationOAuthProxy-OrgDefaultTeam.png
        │   ├── AddOktaIntegrationOAuthProxy-ProxyAddWizardOption.png
        │   ├── AddProxy.png
        │   ├── AddStep.png
        │   ├── BuildProxyBundle.png
        │   ├── ChooseProxyBundle.png
        │   ├── DeployProxyBundle.png
        │   ├── DeployProxyBundleConfirm.png
        │   ├── Develop-APIProxies.png
        │   ├── OAuthPolicyConfig.png
        │   ├── Okta-User-Created.png
        │   ├── ProxyBundleOption.png
        │   ├── ProxyDevelopTab.png
        │   ├── Publish-APIProducts.png
        │   ├── Publish-Apps.png
        │   ├── Publish-Developers.png
        │   ├── RESTClient-OAuthRequest1.png
        │   ├── RESTClient-OAuthRequest2.png
        │   ├── RESTClient-OAuthResponse.png
        │   ├── RESTClient-Okta-User-API-Request1.png
        │   ├── RESTClient-Okta-User-API-Request2.png
        │   ├── RESTClient-Okta-User-API-Response.png
        │   ├── RESTClient-ProxyResponse.png
        │   ├── RESTClient-ProxyResponseSuccess.png
        │   ├── SaveProxy.png
        │   ├── SearchAPIProxy.png
        │   ├── SearchApp.png
        │   ├── SelectClientCreds.png
        │   ├── SelectPreFlow.png
        │   ├── StartTraceOAuthProxy.png
        │   ├── StartTraceProxy.png
        │   ├── TraceResultOAuthProxy.png
        │   ├── ViewProxyBundle.png
        │   ├── image_14.png
        │   ├── image_15.png
        │   ├── image_16.png
        │   ├── image_17.png
        │   ├── image_18.png
        │   ├── image_19.png
        │   ├── image_20.png
        │   ├── image_21.png
        │   ├── image_22.png
        │   ├── image_23.png
        │   └── password-grant-flow-diagram.png
        └── resources
        │   └── oauth-okta-integration.zip
    ├── Links.txt
    ├── README.md
    └── README.org


/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AdvancedVirtualAPIJam
2 | Repository for Apigee's Advanced Virtual API Jam Content
3 | 


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/README.md:
--------------------------------------------------------------------------------
  1 | # Security : Throttle APIs
  2 | 
  3 | *Duration : 10 mins*
  4 | 
  5 | *Persona : API Team / Security*
  6 | 
  7 | # Use case
  8 | 
  9 | You have an existing Apigee API proxy that takes requests from the Internet and forwards them to an existing service. You have a requirement to protect your target servers (backend) from traffic spikes. You would like to protect your APIs from denial of service attacks that might lead to performance lags or downtime of your backend. 
 10 | 
 11 | # How can Apigee Edge help?
 12 | 
 13 | By exposing an API through Apigee Edge, you gain the ability to modify and monitor its behavior using out-of-the-box policies. Edge's out-of-the-box policies enable you to enhance your API with sophisticated features to control traffic, enhance performance, enforce security, and increase the utility of your APIs, without requiring you to write any code or to modify any backend services. Extension policies enable you to implement custom logic in the form of JavaScript, Python, Java, and XSLT.
 14 | 
 15 | In this lab we will see how to use an out of the box traffic management policy, "Spike Arrest", to protect against traffic spikes. A Spike Arrest policy can throttle the number of requests processed by an API proxy and sent to a backend, protecting against performance lags and downtime.
 16 | 
 17 | # Pre-requisites
 18 | 
 19 | * Basic understanding of [OpenAPI Specification](https://github.com/OAI/OpenAPI-Specification) (Swagger)
 20 | * Completed a previous [Virtual API Jam](https://github.com/rmistry75/devjam3/tree/master/Labs/VirtualAPIJam) or have the equivalent knowledge. Alternatively, go through the ["Getting started guide"](https://docs.apigee.com/api-platform/get-started/get-started) in the Apigee Docs site.
 21 | 
 22 | # Instructions
 23 | 
 24 | ## Deploy an API Proxy
 25 | 
 26 | 1. An initial Apigee API proxy has been created for you. Download the API proxy [here](https://github.com/aliceinapiland/AdvancedVirtualAPIJam/blob/master/SecurityJam/Lab%201%20Traffic%20Management%20-%20Throttle%20APIs/apiproxy/Mock-Target-API.zip?raw=true).
 27 | 
 28 | 2. Go to [https://apigee.com/edge](https://apigee.com/edge) and log in. This is the Edge management UI. 
 29 | 
 30 | 3. Select **Develop → API Proxies** in the side navigation menu.
 31 | 
 32 | ![image alt text](./media/image_0.png)
 33 | 
 34 | 4. Click the **+Proxy** button on the top-right corner to invoke the Create Proxy wizard. 
 35 | 
 36 | ![image alt text](./media/image_1.png)
 37 | 
 38 | 5. Select **Proxy Bundle** and then click **Next** to import an existing proxy form a zip archive.
 39 | 
 40 | ![image alt text](./media/image_2.png)
 41 | 
 42 | 6. Click on **Choose File** and select the **Mock-Target-API.zip** that was previously downloaded in step 1 and click **Next**.
 43 | 
 44 | ![image alt text](./media/image_3.png)
 45 | 
 46 | 7. Click on **Build** to upload the the proxy.
 47 | 
 48 | ![image alt text](./media/image_4.png)
 49 | 
 50 | 8. Verify the proxy was uploaded by selecting **Develop → API Proxies** in the side navigation menu.
 51 | 
 52 | ![image alt text](./media/image_0.png)
 53 | 
 54 | * You should see the new **Mock-Target-API** proxy listed.
 55 | 
 56 | ![image alt text](./media/image_5.png)
 57 | 
 58 | * Click on the **Mock-Target-API** proxy. Then click on **Deployment** and select the **test** environment to deploy the proxy to the test environment. 
 59 | 
 60 | ![image alt text](./media/image_6.png)
 61 | 
 62 | 9. Verify that the proxy has been successfully deployed.
 63 | 
 64 | * Click on the Trace tab on the upper right corner.
 65 | 
 66 | ![image alt text](./media/image_7.png)
 67 | 
 68 | * Click on the **Start Trace Session** button and then click on the **Send** button to send traffic to your new proxy. You should see transactions appear on the left hand pane as requests are sent to your proxy.
 69 | 
 70 | ![image alt text](./media/image_8.png)
 71 | 
 72 | You have successfully deployed an API proxy that fronts a service. Let us now add rate limiting to this proxy to protect the backend from denial of service attacks.
 73 | 
 74 | ## Add Rate Limiting to the API Proxy
 75 | 1. Select **Develop → API Proxies** in the side navigation menu.
 76 | 
 77 | ![image alt text](./media/image_0.png)
 78 | 
 79 | 2. Click on the **Mock-Target-API** proxy that you created earlier.
 80 | 
 81 | ![image alt text](./media/image_5.png)
 82 | 
 83 | 3. Click on the **Develop** tab to access the API Proxy development dashboard.
 84 | 
 85 | ![image alt text](./media/image_9.png)
 86 | 
 87 | 4. Click on **PreFlow** under Proxy Endpoints default, and then click on **+Step** on the upper right of the Request flow to attach a Spike Arrest policy.
 88 | 
 89 | ![image alt text](./media/image_10.png)
 90 | 
 91 | 5. Select **Spike Arrest Policy**. Click on **Add** button to add the spike arrest policy to the proxy endpoint preflow request.
 92 | 
 93 | ![image alt text](./media/image_11.png)
 94 | 
 95 | 6. Note the Spike Arrest policy icon on top of request flow that shows exactly where the policy is attached. Select the policy to display the policy's XML configuration in the editor.
 96 | 
 97 | ![image alt text](./media/image_12.png)
 98 | 
 99 | 7. Change the Policy XML configuration to the below snippet to enforce a rate of 12 requests per minute.
100 | ```
101 | <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
102 | <SpikeArrest async="false" continueOnError="false" enabled="true" name="Spike-Arrest-1">
103 |     <DisplayName>Spike Arrest-1</DisplayName>
104 |     <Properties/>
105 |     <Rate>12pm</Rate>
106 |     <UseEffectiveCount>true</UseEffectiveCount>
107 | </SpikeArrest>
108 | ```
109 | 
110 | Think of Spike Arrest as a way to generally protect against traffic spikes rather than as a way to limit traffic to a specific number of requests. Your APIs and backend can handle a certain amount of traffic, and the Spike Arrest policy helps you smooth traffic to the general amounts you want.
111 | 
112 | The runtime Spike Arrest behavior differs from what you might expect to see from the literal per-minute or per-second values you enter.
113 | 
114 | For example, say you enter a rate of 6pm (6 requests per minute). In testing, you might think you could send 6 requests in 1 second, as long as they came within a minute. But that's not how the policy enforces the setting. If you think about it, 6 requests inside a 1-second period could be considered a mini spike in some environments.
115 | 
116 | What actually happens, then? To prevent spike-like behavior, Spike Arrest smooths the number of full requests allowed by dividing your settings into smaller intervals:
117 | 
118 | * **Per-minute** rates get smoothed into full requests allowed in intervals of **seconds**. For example, 6pm gets smoothed like this: 60 seconds (1 minute) / 6pm = 10-second intervals, or 1 request allowed every 10 seconds. A second request inside of 10 seconds will fail. Also, a 7th request within a minute will fail.
119 | 
120 | * **Per-second** rates get smoothed into full requests allowed in intervals of **milliseconds**. For example, 10ps gets smoothed like this: 1000 milliseconds (1 second) / 10ps = 100-millisecond intervals, or 1 request allowed every 100 milliseconds. A second request inside of 100ms will fail. Also, an 11th request within a second will fail.
121 | 
122 | 8. Click on **Save** to save the API Proxy changes.
123 | 
124 | ![image alt text](./media/image_13.png)
125 | 
126 | *Congratulations!*...You have now secured your backend against denial of service attacks, performance lags or downtime of target servers.
127 | 
128 | ## Test the Spike Arrest
129 | 
130 | 1. Let us test the updated API proxy using the Trace Console. Click on **Trace** tab.
131 | 
132 | ![image alt text](./media/image_7.png)
133 | 
134 | 2. Click on **Start Trace Session** to see API Proxy with spike arrest in action.
135 | 
136 | ![image alt text](./media/image_14.png)
137 | 
138 | 3. Click on **Send** button multiple times, You will see a 500 or 429 response code when spike arrest policy kicks in to protect target servers from spike in traffic.
139 | 
140 | ![image alt text](./media/image_15.png)
141 | 
142 | 4. You might notice that number of requests with 200 response is more than spike arrest rate value configured, It’s due to multiple message processors where policies gets executed and each has individual counters.
143 | 
144 | # Lab Video
145 | 
146 | If you like to learn by watching, here is a short video on using Spike Arrest policy. [https://youtu.be/3Gi-GGTqllg](https://youtu.be/3Gi-GGTqllg)
147 | 
148 | # Earn Extra-points
149 | 
150 | Now that you have protected your backend against spike in traffic, Explore more about spike arrest policy using docs here, [http://docs.apigee.com/api-services/reference/spike-arrest-policy](http://docs.apigee.com/api-services/reference/spike-arrest-policy) & update the policy with identifer like queryparam on which spike arrest counter is updated. Use message weight property to assign a weight to the counter.
151 | 
152 | # Summary
153 | 
154 | That completes this hands-on lesson. In this simple lab you learned how to protect target servers against denial of service attacks.
155 | 
156 | # References
157 | 
158 | * Useful Apigee documentation links on Traffic Management & Spike Arrest Policy  - 
159 | 
160 |     * Spike Arrest Policy - http://docs.apigee.com/api-services/reference/spike-arrest-policy
161 | 
162 |     * Rate Limiting - [http://docs.apigee.com/api-services/content/rate-limiting](http://docs.apigee.com/api-services/content/rate-limiting)
163 | 
164 |     * Comparing Rate Limiting Policies - [http://docs.apigee.com/api-services/content/comparing-quota-spike-arrest-and-concurrent-rate-limit-policies](http://docs.apigee.com/api-services/content/comparing-quota-spike-arrest-and-concurrent-rate-limit-policies) 
165 | 
166 | 
167 | Now go to [Lab-2](https://goo.gl/HvkmFV)
168 | 


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/apiproxy/Mock-Target-API.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/apiproxy/Mock-Target-API.zip


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_0.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_1.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_10.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_11.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_12.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_13.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_14.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_15.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_2.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_3.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_4.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_5.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_6.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_7.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_8.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 1 Traffic Management - Throttle APIs/media/image_9.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/README.md:
--------------------------------------------------------------------------------
  1 | # Security : Threat Protection
  2 | 
  3 | *Duration : 15 mins*
  4 | 
  5 | *Persona : API Team / Security*
  6 | 
  7 | # Use case
  8 | 
  9 | You have an existing Apigee API proxy that takes requests from the Internet and forwards them to an existing service. You have a requirement to ensure the integrity of the API message content, by protecting against threats such as JSON/XML/SQL injection and other malicious payload manipulation.
 10 | 
 11 | # How can Apigee Edge help?
 12 | 
 13 | Message content is a significant attack vector used by malicious API consumers. Apigee Edge provides a set of out-of-the-box policies that help mitigate the potential for your backend services to be compromised by attackers or by malformed request payloads.
 14 | 
 15 | In this lab we will see how to use the following policies:
 16 |  - JSON Threat Protection policy
 17 |  - Regular Expression Protection policy
 18 | 
 19 | # Pre-requisites
 20 | 
 21 | * Basic understanding of [JSON](https://www.json.org/) and [XML](https://www.w3.org/TR/2008/REC-xml-20081126) data formats.
 22 | * Basic understanding of [SQL injections](https://en.wikipedia.org/wiki/SQL_injection)
 23 | * Basic understanding of [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)
 24 | * Completed a previous [Virtual API Jam](https://github.com/rmistry75/devjam3/tree/master/Labs/VirtualAPIJam) or have the equivalent knowledge of API lifecycle management, and specifically, API proxy policy configuration and enforcement on Apigee Edge. Alternatively, go through the ["Getting started guide"](https://docs.apigee.com/api-platform/get-started/get-started) in the Apigee Docs site.
 25 | * Completed [Lab 1 - Traffic Management](https://github.com/aliceinapiland/AdvancedVirtualAPIJam/tree/master/SecurityJam/Lab%201%20Traffic%20Management%20-%20Throttle%20APIs), of this Virtual API Jam - Security
 26 | 
 27 | # Instructions
 28 | 
 29 | ## JSON Threat Protection
 30 | 
 31 | 1. In your org, select **Develop → API Proxies** in the side navigation menu, and select the API proxy previously created in Lab 1.
 32 | 
 33 | ![image alt text](./media/image_5.png)
 34 | 
 35 | 2. Click on the **Develop** tab to access the API Proxy development dashboard.
 36 | 
 37 | ![image alt text](./media/image_9.png)
 38 | 
 39 | 3. Click on the "**Send request and view request headers and body**" flow under Proxy Endpoints default, and then click on **+Step** on the upper right of the Request flow to attach a JSON Threat Protection policy.
 40 | 
 41 | ![image alt text](./media/select-json-flow-for-policy.png)
 42 | 
 43 | 4. Select **JSON Threat Protection** policy. Click on **Add** button to add the policy to the selected flow's request pipeline.
 44 | 
 45 | ![image alt text](./media/add-policy.png)
 46 | 
 47 | 5. Select the policy to display the policy's XML configuration in the editor.
 48 | 
 49 | ![image alt text](./media/select-policy-config.png)
 50 | 
 51 | 6. Change the policy's XML configuration to the below snippet to enforce protection against JSON payload manipulation threats.
 52 | ```
 53 | <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 54 | <JSONThreatProtection async="false" continueOnError="false" enabled="true" name="JSON-Threat-Protection-1">
 55 |     <DisplayName>JSON Threat Protection-1</DisplayName>
 56 |     <Properties/>
 57 |     <ObjectEntryCount>5</ObjectEntryCount>
 58 |     <Source>request</Source>
 59 | </JSONThreatProtection>
 60 | ```
 61 | 
 62 | In the above example, we use the JSON Threat Protection policy to ensure that the incoming API request JSON payload does not contain more than 5 fields. If the incoming payload contains more than 5 fields, the API proxy returns an error response.
 63 | For a full list of JSON integrity checks that can be performed using this policy, see the [JSON Threat Protection policy documentation](https://docs.apigee.com/api-platform/reference/policies/json-threat-protection-policy#elementreference).
 64 | 
 65 | 7. Click on **Save** to save the API Proxy changes.
 66 | 
 67 | ![image alt text](./media/save-changes.png)
 68 | 
 69 | ### To Test JSON Threat Protection:
 70 | 
 71 | 1. To test the changes made, first click on **Trace** tab of the API proxy dashboard, and click on **Start Trace Session** button.
 72 | 
 73 | ![image alt text](./media/start-tracev2.png)
 74 | 
 75 | * **Note**: Take note of the Apigee `organization` and `environment` you are working in. In the screenshot above, the organization is `amer-demo16` and the environment is `test`. Your organization name will likely end in `*-eval`
 76 | 
 77 | 2. Now, send a POST request to your API endpoint at **http://{{your-organization}}-{{your-environment}}.apigee.net/mock-target-api/echo** with the following format:
 78 | ```
 79 | POST /mock-target-api/echo HTTP/1.1
 80 | Host: {{your org}}-{{your env}}.apigee.net
 81 | Content-Type: application/json
 82 | 
 83 | {
 84 | "field1": "test_value1",
 85 | "field2": "test_value2",
 86 | "field3": "test_value3",
 87 | "field4": "test_value4",
 88 | "field5": "test_value5",
 89 | "field6": "test_value6"
 90 | }
 91 | ```
 92 | 
 93 | You can make this call either using a REST client like the one [here](https://apigee-rest-client.appspot.com/), or using a terminal command such as **curl**.
 94 | ```
 95 | curl -X POST "http://{{your-org}}-{{your-env}}.apigee.net/mock-target-api/echo" -H "Content-Type: application/json" -d '{"field1": "test_value1", "field2": "test_value2", "field3": "test_value3", "field4": "test_value4", "field5": "test_value5", "field6": "test_value6"}'
 96 | ```
 97 | * **Note:** If you are using a REST client, make sure that your HTTP request has a Header name/value pair of `Content-Type: application/json` as shown below
 98 | 
 99 | ![image alt text](./media/add-json-header.png)
100 | 
101 | 3. The response received will be an error, since we attempted to send more than 5 fields in the POST request payload.
102 | 
103 | ![image alt text](./media/error-response.png)
104 | 
105 | We also see that the JSON Threat Protection policy was triggered to return this error response, when we see the Trace screen.
106 | 
107 | ![image alt text](./media/error-response-trace.png)
108 | 
109 | 4. You can now test for a successful API call, by sending the API endpoint a similar POST request, but this time with 5 or fewer fields in the JSON payload.
110 | ```
111 | POST /mock-target-api/echo HTTP/1.1
112 | Host: {{your-org}}-{{your-env}}.apigee.net
113 | Content-Type: application/json
114 | 
115 | {
116 | "field1": "test_value1",
117 | "field2": "test_value2",
118 | "field3": "test_value3",
119 | "field4": "test_value4",
120 | "field5": "test_value5"
121 | }
122 | ```
123 | 
124 | You can make this call either using a REST client like the one [here](https://apigee-rest-client.appspot.com/), or using a terminal command such as **curl**.
125 | ```
126 | curl -X POST "http://{{your-org}}-{{your-env}}.apigee.net/mock-target-api/echo" -H "Content-Type: application/json" -d '{"field1": "test_value1", "field2": "test_value2", "field3": "test_value3", "field4": "test_value4", "field5": "test_value5"}'
127 | ```
128 | 
129 | 3. The response received will be a successful one, since we attempted to send fewer fields in the POST request payload.
130 | 
131 | ![image alt text](./media/success-response.png)
132 | 
133 | We also see that the JSON Threat Protection policy allowed the request to go through and hit the API target, when we see the Trace screen.
134 | 
135 | ![image alt text](./media/success-response-trace.png)
136 | 
137 | ## Regular Expression Protection
138 | 
139 | ### Add Protection Against SQL Injections
140 | 
141 | 1. Click on the "**View IP address**" flow under Proxy Endpoints default. Click on **+Step** on the upper right of the Request flow and attach a Regular Expression Protection policy.
142 | 
143 | ![image alt text](./media/select-ip-flow-for-reg-exp.png)
144 | 
145 | 2. Select **Regular Expression Protection** policy. Click on **Add** button to add the policy to the selected flow's request pipeline.
146 | 
147 | ![image alt text](./media/add-regular-expression-protection-policy.png)
148 | 
149 | 3. Select the policy to display the policy's XML configuration in the editor.
150 | 
151 | ![image alt text](./media/select-regular-expression-protection-policy.png)
152 | 
153 | 4. Change the policy's XML configuration to the below snippet to protect against SQL injections.
154 | ```
155 | <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
156 | <RegularExpressionProtection async="false" continueOnError="false" enabled="true" name="Regular-Expression-Protection-1">
157 |     <Source>request</Source>
158 |     <QueryParam name="query">
159 |         <Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
160 |     </QueryParam>
161 | </RegularExpressionProtection>
162 | ```
163 | 
164 | In the above example, the Regular Expression Protection policy has been configured with a pattern that matches common SQL injection attacks. This pattern will be checked against the value of the query parameter named `query`, and if there is a match, the policy will return an error response. Note that the policy lets you check the pattern against all types of input parameters and body content.
165 | 
166 | For other sample patterns, reference the [Regular Expression Protection policy documentation](https://docs.apigee.com/api-platform/reference/policies/regular-expression-protection#abouttheregularexpressionprotectionpolicy-exampleblacklistpatterns).
167 | 
168 | 5. Click on **Save** to save the API Proxy changes.
169 | 
170 | ![image alt text](./media/save-changes-2.png)
171 | 
172 | ### Test Regular Expression Protection:
173 | 
174 | 1. To test the changes made, first click on **Trace** tab of the API proxy dashboard, and click on **Start Trace Session** button.
175 | 
176 | ![image alt text](./media/start-trace.png)
177 | 
178 | 2. Now, send a GET request to your API endpoint at **http://{{your-organization}}-{{your-environment}}.apigee.net/mock-target-api/ip?query=** with any of the following entries in the `query` parameter. Try out all of the entries, and see if you can determine what each attack is trying to do!
179 | ```
180 | query=delete
181 | query=password’ OR 1=1
182 | query=5; DROP TABLE USERS;
183 | ```
184 | 
185 | You can make this call either using a REST client like the one [here](https://apigee-rest-client.appspot.com/), or using a terminal command such as **curl**.
186 | ```
187 | curl "http://{{your-org}}-{{your-env}}.apigee.net/mock-target-api/ip?query={{insert SQL injection attack here}}"
188 | ```
189 | 
190 | ![image alt text](./media/send-sql-injection.png)
191 | 
192 | 3. The response received will be an error, since we attempted to send a malicious attack that we have configured our policy to recognize.
193 | 
194 | ![image alt text](./media/sql-injection-blocked.png)
195 | 
196 | We can also confirm from the Trace screen that the Regular Expression Protection policy was triggered to return this error response.
197 | 
198 | ![image alt text](./media/error-response-reg-exp-trace.png)
199 | 
200 | # Lab Video
201 | 
202 | If you like to learn by watching, here are short 4 minute videos on using:
203 | - [JSON Threat Protection Policy](https://youtu.be/LIUeaAvRuTQ)
204 | - [RegEx Protection Policy](https://youtu.be/NLg_LE3u-vM)
205 | 
206 | # Earn Extra-points
207 | 
208 | Now that you have tried the JSON and Regular Expression Threat Protection policies, try out the [XML Threat Protection policy](https://docs.apigee.com/api-platform/reference/policies/xml-threat-protection-policy) that helps you check the API payload content integrity in the case of XML payloads.
209 | 
210 | # Summary
211 | 
212 | That completes this hands-on lesson. In this simple lab you learned how to protect your API payloads against payload content based threats.
213 | 
214 | # References
215 | 
216 | * Useful Apigee documentation links on Threat Protection policies  -
217 | 
218 |     * [JSON Threat Protection Policy](https://docs.apigee.com/api-platform/reference/policies/json-threat-protection-policy)
219 | 
220 |     * [XML Threat Protection Policy](https://docs.apigee.com/api-platform/reference/policies/xml-threat-protection-policy)
221 | 
222 |     * [Regular Expression Protection policy](https://docs.apigee.com/api-platform/reference/policies/regular-expression-protection)
223 | 
224 |     * [Video](https://youtu.be/rC8kZJgwBFM) on using Threat Protection policies in Apigee Edges
225 | 
226 | Now go to [Lab-3](https://github.com/aliceinapiland/AdvancedVirtualAPIJam/tree/master/SecurityJam/Lab%203%20-%20Securing%20APIs%20with%20OAuth2%20Client%20Credentials)
227 | 


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/add-json-header.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/add-json-header.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/add-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/add-policy.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/add-regular-expression-protection-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/add-regular-expression-protection-policy.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/add-xml-header.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/add-xml-header.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/add-xml-threat-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/add-xml-threat-policy.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/error-response-reg-exp-trace.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/error-response-reg-exp-trace.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/error-response-trace.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/error-response-trace.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/error-response-xml-threat-trace.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/error-response-xml-threat-trace.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/error-response-xml-threat.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/error-response-xml-threat.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/error-response.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/error-response.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/image_5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/image_5.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/image_9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/image_9.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/save-changes-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/save-changes-2.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/save-changes.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/save-changes.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/select-flow-for-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/select-flow-for-policy.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/select-ip-flow-for-reg-exp.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/select-ip-flow-for-reg-exp.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/select-json-flow-for-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/select-json-flow-for-policy.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/select-policy-config.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/select-policy-config.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/select-regular-expression-protection-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/select-regular-expression-protection-policy.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/select-xml-threat-policy-config.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/select-xml-threat-policy-config.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/send-sql-injection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/send-sql-injection.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/sql-injection-blocked.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/sql-injection-blocked.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/start-trace.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/start-trace.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/start-tracev2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/start-tracev2.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/success-response-trace.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/success-response-trace.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/success-response-xml-threat-trace.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/success-response-xml-threat-trace.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/success-response-xml-threat.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/success-response-xml-threat.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/success-response.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/success-response.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 2 - Threat Protection/media/test-sql-injection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 2 - Threat Protection/media/test-sql-injection.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/README.md:
--------------------------------------------------------------------------------
  1 | # **API Security : Securing APIs with 2-legged OAuth (client credentials)**
  2 | 
  3 | *Duration : 30 mins*
  4 | 
  5 | *Persona : API Team/Security*
  6 | 
  7 | # **Use case**
  8 | 
  9 | You have an API that is consumed by trusted applications. You want to secure that API using two legged OAuth (client credentials grant type).
 10 | 
 11 | # **How can Apigee Edge help?**
 12 | 
 13 | Apigee Edge quickly lets you secure your APIs using out of the box OAuth policies. OAuth defines token endpoints, authorization endpoints, and refresh token endpoints. Apps call these endpoints to get access tokens, to refresh access tokens, and, in some cases, to get authorization codes. These endpoints refer to specific OAuth 2.0 policies that execute when the endpoint is called.
 14 | 
 15 | Most typically, the **"client_credentials"** grant type is used when the app is also the API resource owner. For example, an app may need to access a backend cloud-based storage service to store and retrieve data that it uses to perform its work, rather than data specifically owned by the end user. This grant type flow occurs strictly between a client app and the authorization server. An end user does not participate in this grant type flow. In this flow, Apigee Edge is the OAuth authorization server. Its role is to generate access tokens, validate access tokens, and pass authorized requests for protected resources, on to the resource server.
 16 | 
 17 | # **Pre-requisites**
 18 | 
 19 | * You have completed [Lab 1](https://github.com/aliceinapiland/AdvancedVirtualAPIJam/tree/master/SecurityJam/Lab%201%20Traffic%20Management%20-%20Throttle%20APIs). If not, please complete that first.
 20 | 
 21 | # **Instructions**
 22 | 
 23 | As part of this lab, we will:
 24 | - Expose OAuth access token edpoints via an API proxy, to generate access tokens based on the "client_credentials" grant type
 25 | - Secure our sample API with OAuth access token verification
 26 | - Publish API Products and manage API-consuming App cofigurations on Apigee Edge, to generate a valid set of client credentials.
 27 | 
 28 | ## Create OAuth Token Endpoints
 29 | 
 30 | **Note: In Apigee Edge trial account orgs, the oauth endpoint should already have been created at the time of org provisioning. Check you API Proxies list under Develop -> API Proxies. If there is already a proxy labeled 'oauth', simply go to the proxy details page, click on 'Deployment' and ensure that it is deployed to the 'test' environment (Step 6 below). After that, you can skip this section and head to [the next section](https://github.com/aliceinapiland/AdvancedVirtualAPIJam/tree/master/SecurityJam/Lab%203%20-%20Securing%20APIs%20with%20OAuth2%20Client%20Credentials#secure-mock-target-api-proxy-with-oauth-access-token-verification).**
 31 | 
 32 | 1. Go to [https://apigee.com/edge](https://apigee.com/edge) and log in. This is the Edge management UI.
 33 | 
 34 | 2. Select **Develop** → **API Proxies** in the side navigation menu.
 35 | 
 36 | ![image alt text](./media/image_0.png)
 37 | 
 38 | 3. Click the **+Proxy** button on the top-right corner to invoke the Create Proxy wizard.
 39 | 
 40 | ![image alt text](./media/image_1.png)
 41 | 
 42 | 4. Select **Proxy Bundle** and then click **Next** to import an existing proxy form a zip archive.
 43 | 
 44 | ![image alt text](./media/image_2.png)
 45 | 
 46 | Download the API proxy "oauth.zip" that implements OAuth client credentials grant type [here](https://github.com/aliceinapiland/AdvancedVirtualAPIJam/blob/master/SecurityJam/Lab%203%20-%20Securing%20APIs%20with%20OAuth2%20Client%20Credentials/oauth.zip?raw=true). 
 47 | 
 48 | Back in the proxy creation wizard, click "Choose File", select the “oauth.zip” file you just downloaded and click **Next**:
 49 | 
 50 | ![image alt text](./media/image_3.png)
 51 | 
 52 | 5. Click **Build**:
 53 | 
 54 | ![image alt text](./media/image_4.png)
 55 | 
 56 | You should see a successful "Uploaded proxy" message as shown below.  You now have an OAuth Authorization Server that supports the client credentials grant type in Apigee.  Click “oauth” near the bottom of the page:
 57 | 
 58 | ![image alt text](./media/image_5.png)
 59 | 
 60 | 6. Deploy the oauth proxy by clicking on the **Deployment** dropdown and selecting the **test** environment:
 61 | 
 62 | ![image alt text](./media/image_6.png)
 63 | 
 64 | ## Secure Mock Target API proxy with OAuth Access Token verification
 65 | 
 66 | 1. Select **Develop** → **API Proxies** in the side navigation menu:
 67 | 
 68 | ![image alt text](./media/image_7.png)
 69 | 
 70 | Select the previously created **Mock-Target-API** proxy:
 71 | 
 72 | ![image alt text](./media/image_8.png)
 73 | 
 74 | Click on the **Develop** tab:
 75 | 
 76 | ![image alt text](./media/image_9.png)
 77 | 
 78 | 2. Ensure that "Preflow" is selected in the “Proxy Endpoints” window, and then click the **+Step** button above the “Request” flow:
 79 | 
 80 | ![image alt text](./media/image_10.png)
 81 | 
 82 | 3. Select the **"OAuth v2.0"** security policy, leave the default names, and then click **Add**:
 83 | 
 84 | ![image alt text](./media/image_11.png)
 85 | 
 86 | 4. Drag and drop the OAuth v2.0 policy so it is the first policy (before Spike Arrest) and then click **Save**.  After the proxy is saved, click **Trace** in the upper right:
 87 | 
 88 | ![image alt text](./media/image_12.png)
 89 | 
 90 | 5. Click **"Start Trace Session"** and then click **Send**:
 91 | 
 92 | ![image alt text](./media/image_13.png)
 93 | 
 94 | * You should see a 401 error because the proxy is now protected with an OAuth v2.0 policy and the incoming http request to the proxy did not contain an OAuth bearer token.  So now we will need to get a valid OAuth token in order to proceed.  This will require registering a **Developer** who creates an **App** that uses an **API Product** that contains the **API Proxy (Mock-Target-API)**.
 95 | 
 96 | ## Create API Product, App Config and Generate Client Key & Secret
 97 | 
 98 | 1. To provide access to the API, we must first package the API proxy into an API Product. To do this, first log into the Apigee Edge Management UI, and navigate to **Publish -> API Products**:
 99 | 
100 | ![image alt text](./media/image_14.png)
101 | 
102 | Then, click **+API Product** in the upper right of the screen:
103 | 
104 | ![image alt text](./media/image_15.png)
105 | 
106 | 2. Fill out the fields as shown below.  Click **+API Proxy** (step 4) and then select the **Mock-Target-API** (step 5) from the dropdown.  Finally click **Save** :
107 | 
108 | ![image alt text](./media/image_16a.png)
109 | ![image alt text](./media/image_16b.png)
110 | ![image alt text](./media/image_16c.png)App
111 | 
112 | You should now see the Mock Target Product in the list of API Products.  
113 | 
114 | 3. Typically, the client app developer will register his/her profile and the app profile, to obtain app credentials through a developer portal. However, for this lab, we will create these entities through the Apigee Edge Management UI. 
115 | 
116 | First let's create the developer profile. To do this, click on **Publish** → **Developer**:
117 | 
118 | ![image alt text](./media/image_17.png)
119 | 
120 | Click on **+Developer** in the upper right of the screen:![image alt text](./media/image_18.png)
121 | 
122 | 4. Fill out the fields with your **own name and email address** and click **Create**:
123 | 
124 | ![image alt text](./media/image_19.png)
125 | 
126 | You should see the new Developer you just created in the list.  
127 | 
128 | 5. Click on **Publish** → **Apps**
129 | 
130 | ![image alt text](./media/image_20.png)
131 | 
132 | Click on **+App** in the upper right of the screen:
133 | 
134 | ![image alt text](./media/image_21.png)
135 | 
136 | 6. Fill out the details in the App screen as shown below.  Click **Create**:
137 | 
138 | ![image alt text](./media/image_22a.png)
139 | ![image alt text](./media/image_22b.png)
140 | ![image alt text](./media/image_22c.png)
141 | 
142 | You will now see your list of Apps again.  Click on your **Mock Target App** again and click the "Show/Hide" buttons next to the **Consumer Key** and **Consumer Secret** fields. Make a note of the Consumer Key and Consumer Secret so you can use them later. These are the client credentials you will need to get your OAuth token:
143 | 
144 | ![image alt text](./media/image_23.png)
145 | 
146 | ## To Test OAuth Token generation and API protection
147 | 
148 | 1. First, send a valid request to the OAuth token endpoint to generate a valid access token. You can send this request either using a REST client like the one [here](https://apigee-rest-client.appspot.com/), or using **curl** in your Linux/Mac terminal. The request to send is:
149 | 
150 | ```
151 | POST /oauth/client_credential/accesstoken?grant_type=client_credentials HTTP/1.1
152 | Host: {{org-name}}-{{env}}.apigee.net
153 | Accept: application/json
154 | Content-Type: application/x-www-form-urlencoded
155 | 
156 | client_id={{app_client_key}}&client_secret={{app_client_secret}}
157 | ```
158 | 
159 | * Replace {{org-name}} with your actual Apigee org name, and {{env}} with the deployment environment for your proxy (eg. 'test').
160 | 
161 | * Replace {{app_client_key}} and {{app_client_secret}} with your real Consumer Key and Consumer Secret noted down previously.
162 | 
163 | ```
164 | curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: application/json' "https://{{org-name}}-{{env}}.apigee.net/oauth/client_credential/accesstoken?grant_type=client_credentials" -d 'client_id={{app_client_key}}&client_secret={{app_client_secret}}'
165 | ```
166 | 
167 | ![image alt text](./media/image_24.png)
168 | 
169 | You now have an OAuth access token as seen in the body of the HTTP response.  Copy the value of the access_token (not including the " “) as you will need it for the next step.
170 | 
171 | 2. Now, let's test the protected API by passing in the valid access token. You can send this request either using a REST client like the one [here](https://apigee-rest-client.appspot.com/), or using **curl** in your Linux/Mac terminal. The request to send is:
172 | 
173 | ```
174 | GET /mock-target-api HTTP/1.1
175 | Host: {{org-name}}-{{env}}.apigee.net
176 | Authorization: Bearer {{access-token}}
177 | ```
178 | 
179 | * Replace {{org-name}} with your actual Apigee org name, and {{env}} with the deployment environment for your proxy (eg. 'test').
180 | 
181 | * Add a header named **Authorization**, and in the value field write **Bearer** followed by your **access_token** you copied after your last POST request.
182 | 
183 | ```
184 | curl -X GET -H "Authorization: Bearer {{access-token}}" "http://{{org-name}}-{{env}}.apigee.net/mock-target-api"
185 | ```
186 | 
187 | ![image alt text](./media/image_25.png)
188 | 
189 | * If you see "Hello, Guest!" your OAuth token was valid and you’ve received the correct response!  
190 | 
191 | # **Lab Video**
192 | 
193 | If you are lazy and don’t want to implement this use case, it’s OK. You can watch this short video to see how to implement 2 legged OAuth on Apigee Edge [https://youtu.be/0pah5J7yQTQ](https://youtu.be/0pah5J7yQTQ)
194 | 
195 | # **Earn Extra-points**
196 | 
197 | Now that you’ve learned how to secure your API with OAuth 2.0, try to control the expiry of the access token that is generated, using the [<ExpiresIn>](https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy#expiresinelement) configuration element of the [OAuthV2 policy](https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy#expiresinelement).
198 | 
199 | # **Summary**
200 | 
201 | In this lab you learned how to secure your API using two legged OAuth 2.0 in client credentials grant type, by using the default oauth proxy to obtain an access token and using that token to validate requests to your API.
202 | 
203 | # **References**
204 | 
205 | * Link to Apigee docs page
206 | 
207 |     * OAuth 2.0: Configuring a new API proxy [http://docs.apigee.com/api-services/content/understanding-default-oauth-20-configuration](http://docs.apigee.com/api-services/content/understanding-default-oauth-20-configuration)
208 | 
209 |     * Secure an API with OAuth [http://docs.apigee.com/tutorials/secure-calls-your-api-through-oauth-20-client-credentials](http://docs.apigee.com/tutorials/secure-calls-your-api-through-oauth-20-client-credentials)
210 | 
211 | * [Link](https://community.apigee.com/topics/oauth+2.0.html) to Community posts and articles with topic as "OAuth 2.0"
212 | 
213 | * Search and Revoke tokens - [https://community.apigee.com/articles/1571/how-to-enable-oauth-20-token-search-and-revocation.html](https://community.apigee.com/articles/1571/how-to-enable-oauth-20-token-search-and-revocation.html)
214 | 
215 | Now go to [Lab 4](https://goo.gl/m1Ae3k).
216 | 
217 | 


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_0.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_1.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_10.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_11.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_12.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_13.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_14.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_15.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_16.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_16a.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_16a.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_16b.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_16b.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_16c.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_16c.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_17.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_17.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_18.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_18.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_19.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_19.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_2.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_20.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_20.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_21.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_21.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_22.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_22.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_22a.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_22a.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_22b.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_22b.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_22c.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_22c.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_23.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_23.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_24.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_24.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_25.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_25.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_3.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_4.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_5.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_6.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_7.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_8.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/media/image_9.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/oauth.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 3 - Securing APIs with OAuth2 Client Credentials/oauth.zip


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/JWT.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/JWT.zip


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/Readme.md:
--------------------------------------------------------------------------------
  1 | # **API Security : JWT**
  2 | 
  3 | *Duration : 15 mins*
  4 | 
  5 | *Persona : API Team/Security*
  6 | 
  7 | # **Use case**
  8 | 
  9 | You have an API that is consumed by third parties. You want to secure that API using JWT.
 10 | 
 11 | # **How can Apigee Edge help?**
 12 | 
 13 | [https://docs.apigee.com/api-platform/reference/policies/jwt-policies-overview](https://docs.apigee.com/api-platform/reference/policies/jwt-policies-overview)
 14 | 
 15 | # **Pre-requisites**
 16 | 
 17 | * You have completed [Lab 1](https://github.com/aliceinapiland/AdvancedVirtualAPIJam/tree/master/SecurityJam/Lab%201%20Traffic%20Management%20-%20Throttle%20APIs). If not, please complete that first.
 18 | 
 19 | # **Instructions**
 20 | 
 21 | * Go to [https://apigee.com/edge](https://apigee.com/edge) and log in. This is the Edge management UI.
 22 | 
 23 | * Select Admin → Environments in the side menu
 24 | 
 25 | ![image alt text](./media/image_0.png)
 26 | 
 27 | * Select Key Value Maps tab, change Environment Configuration to "test’, and click **+Key Value Map**:
 28 | 
 29 | ![image alt text](./media/image_1.png)
 30 | 
 31 | * Type "jwt-secret-key" (must be this name exactly) in the text box and click **Add**:
 32 | 
 33 | ![image alt text](./media/image_2.png)
 34 | 
 35 | * Now that the key value map is created, add a Shared Secret (key: secret, value: Apigee123 or your choice) to it as shown:
 36 | 
 37 | ![image alt text](./media/image_3a.png)
 38 | ![image alt text](./media/image_3b.png)
 39 | ![image alt text](./media/image_3c.png)
 40 | 
 41 | * This shared secret will be used to both generate and verify JWT tokens using the HS256 algorithm.
 42 | 
 43 | * Go to Develop → Api Proxies:
 44 | 
 45 | ![image alt text](./media/image_4.png)
 46 | 
 47 | * Click the **+Proxy** button on the top-right corner to invoke the Create Proxy wizard.
 48 | 
 49 | ![image alt text](./media/image_5.png)
 50 | 
 51 | * Select **Proxy Bundle** and then click **Next** to import an existing proxy form a zip archive.
 52 | 
 53 | ![image alt text](./media/image_6.png)
 54 | 
 55 | * Download the Apigee proxy "**JWT.zip**" that generates and verifies JWT’s [here](https://github.com/aliceinapiland/AdvancedVirtualAPIJam/blob/master/SecurityJam/Lab%204%20-%20JWT/JWT.zip?raw=true).  Then click "**Choose File**", select the “**JWT.zip**” file you just downloaded and click **Next**:
 56 | 
 57 | ![image alt text](./media/image_7.png)
 58 | 
 59 | * Click **Build**.
 60 | 
 61 | * You should see a successful "Uploaded proxy" message..  Click on the link to the JWT proxy near the bottom of the page.
 62 | 
 63 | * Deploy the JWT proxy by clicking on the **Deployment** dropdown and selecting the **test** environment.
 64 | 
 65 | * Click on the **Develop** tab.
 66 | 
 67 | * You can see that the JWT proxy has two proxy endpoints: **Generate JWT** (/token) to generate a JWT, and **Verify JWT** (/verify) to verify a JWT.  Check both flows and read the XML policies to get a deeper understanding of how they work. (reference links available at the end of the lab)
 68 | 
 69 | ![image alt text](./media/image_8.png)
 70 | 
 71 | * Start by turning on **Trace** for the JWT proxy.
 72 | 
 73 | * Then use the Apigee Rest Client: [https://apigee-rest-client.appspot.com/](https://apigee-rest-client.appspot.com/)
 74 | 
 75 | * POST to https://**{your-org-name}**-test.apigee.net/v1/jwt/token
 76 | 
 77 | ![image alt text](./media/image_9.png)
 78 | 
 79 | * You should see a token received in HTTP response.  Copy the token value (except for the " “) and review the Trace tool to understand what happened.
 80 | 
 81 | * Go to [http://jwt.io](http://jwt.io) and paste the token in the Encoded Window (ensure the algorithm is HS256).  Also type the shared secret (e.g. **Apigee123** unless you changed it) in the Verify Signature box:
 82 | 
 83 | ![image alt text](./media/image_10.png)
 84 | 
 85 | * Now verify the token.  Use the same Apigee REST tool to do so
 86 | 
 87 | * POST to https://**{your-org-name}**-test.apigee.net/v1/jwt/verify
 88 | 
 89 | * In the Header, put "token" and its value
 90 | 
 91 | ![image alt text](./media/image_11.png)
 92 | 
 93 | * If you get a 200 return code, the JWT is valid (as expected).  Again, review the Trace tool to understand what happened.  You can also try to tamper with the JWT (add/remove characters) and invoke the same API call again.  What happens?
 94 | 
 95 | # **Earn Extra-points**
 96 | 
 97 | Change the JWT token generation policy to include [additional claims](https://docs.apigee.com/api-platform/reference/policies/generate-jwt-policy#additionalclaimsclaim) (iss, aud, sub, extra claims) in it, to see how the behavior changes.
 98 | 
 99 | # **Summary**
100 | 
101 | * In this lab, you learned how to use Apigee's out of the box JWT policies to both generate and verify a JWT.  Now you can use these policies to actually secure an API using JWT security.  To do so, you would first want to authenticate a user against their IdP (which also contains "claims" about that user/principal) before calling GenerateJWT and issuing the JWT with claims back to that user (for simplicity, we skipped the user authentication step in this lab and hard coded the claims). The API that is protected would invoke VerifyJWT (either directly or via an Apigee endpoint) to verify the JWT and read/verify its claims.
102 | 
103 | # **References**
104 | 
105 | * [Apigee Edge JWT token support explained in 4 minutes](https://youtu.be/mY5B6YlpkAY)
106 | 
107 | * [Apigee Edge JWT Policies Overview](https://docs.apigee.com/api-platform/reference/policies/jwt-policies-overview)
108 | 
109 | * [Adding Additional Claims to your JWT](https://docs.apigee.com/api-platform/reference/policies/generate-jwt-policy#additionalclaimsclaim)
110 | 
111 | Now go to [Lab 5](https://goo.gl/6S2iJr).
112 | 


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_0.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_1.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_10.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_11.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_2.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_3.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_3a.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_3a.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_3b.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_3b.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_3c.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_3c.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_4.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_5.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_6.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_7.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_8.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 4 - JWT/media/image_9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 4 - JWT/media/image_9.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/README.md:
--------------------------------------------------------------------------------
  1 | # **API Security - External IdP Integration using Okta**
  2 | 
  3 | *Duration : 20 mins*
  4 | 
  5 | *Persona : API Team/Security*
  6 | 
  7 | # **Use case**
  8 | 
  9 | You have an API that is consumed by a client application. You want to secure that API using OAuth 2.0 and use an external identity provider such as Okta, to protect the application end user identity.
 10 | In this lab, we will use Apigee as the OAuth provider to protect the API endpoints using OAuth 2.0. Okta will be used to protect the application end user's identity. We will accomplish this by integrating Okta into the Apigee OAuth proxy, and implement OAuth 2.0 in resource owner / password grant type. 
 11 | 
 12 | # **How can Apigee Edge help?**
 13 | 
 14 | See (optional): [Apigee + Okta - Using OAuth 2.0 Resource Owner / Password Grant Type](https://community.apigee.com/articles/28752/apigeeokta-integration-resource-owner-password-gra.html)
 15 | 
 16 | Apigee has built in support to implement OAuth 2.0 in the resource owner / password grant type. Using the [OAuthV2 policy](https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy), Apigee Edge can be configured to act as the authorization provider for access to the API, while using the [Service Callout policy](https://docs.apigee.com/api-platform/reference/policies/service-callout-policy) to invoke Okta's authentication API to authenticate the identity of the app end user.
 17 | 
 18 | ![image alt text](./media/password-grant-flow-diagram.png)
 19 | 
 20 | # **Pre-requisites**
 21 | 
 22 | * You have completed [Lab 3](https://goo.gl/xBMaav). If not, please complete that first.
 23 | 
 24 | # **Instructions**
 25 | 
 26 | Let us assume that there is a client application that needs to consume the API endpoints we built in the previous labs - **Mock-Target-API**, and that this application is a trusted one.
 27 | The resource owner password (or "password") grant type is mostly used in cases where the app is highly trusted. In this configuration, the user provides their resource server credentials (username/password) to the client app, which sends them in an access token request to Apigee Edge. An identity server (it this case, Okta) validates the credentials, and if they are valid, Edge proceeds to mint an access token and returns it to the app.
 28 | 
 29 | In this scenario, let us proceed to set up
 30 | a) The app end user's identity in Okta, 
 31 | b) The app configuration in Apigee Edge, and
 32 | b) The API proxy configuration in Apigee Edge to enforce both end user identity authentication, as well as API authorization through OAuth 2.0.
 33 | 
 34 | ## End User Configuration in Okta
 35 | 
 36 | 1. In this lab, we will use a pre-configured Okta instance to authenticate end user identity. To add a new app end user, we will use the Okta User API.
 37 | Invoke the following API request (either from a terminal or [REST client](https://apigee-rest-client.appspot.com/)):
 38 | ```
 39 | curl -X POST "https://dev-271499-admin.okta.com/api/v1/users?activate=true" -H "Content-Type: application/json" -H "Authorization: SSWS 004LHmN3InpVQ9pOMWjsdb6ZDUmi1IP8_DLjaOlb6Z" -d '{"profile": {"firstName": "<Enter First Name>","lastName": "<Enter Last Name>","email": "<Enter Email ID>","login": "<Enter Email ID>"},"credentials": {"password" : { "value": "<Enter Password>"}}}'
 40 | ```
 41 | Use the following parameters if using the REST Client
 42 | 
 43 | POST to URL: `https://dev-271499-admin.okta.com/api/v1/users?activate=true`
 44 | 
 45 | Authorization Header: `SSWS 004LHmN3InpVQ9pOMWjsdb6ZDUmi1IP8_DLjaOlb6Z`
 46 | 
 47 | First Name, last name, email, login, and password: provide your own
 48 | 
 49 | ![image alt text](./media/RESTClient-Okta-User-API-Request1.png)
 50 | ![image alt text](./media/RESTClient-Okta-User-API-Request2.png)
 51 | 
 52 | This will create an active end user profile in Okta:
 53 | ![image alt text](./media/RESTClient-Okta-User-API-Response.png)
 54 | 
 55 | 2. Make note of the Username and Password you provided in the above API request. We will use this to authenticate the app end user's identity.
 56 | 
 57 | ## App Configuration in Apigee Edge
 58 | 
 59 | **Note: These steps should have already been completed during Lab 3, so please skip if you have already completed Lab 3.**
 60 | 
 61 | 1. To provide access to the API, we must first package the API proxy into an API Product. To do this, first log into the Apigee Edge Management UI, and navigate to **Publish -> API Products**:
 62 | 
 63 | ![image alt text](./media/image_14.png)
 64 | 
 65 | Then, click **+API Product** in the upper right of the screen:
 66 | 
 67 | ![image alt text](./media/image_15.png)
 68 | 
 69 | 2. Fill out the fields as shown below.  Click **+API Proxy** (step 4) and then select the **Mock-Target-API** (step 5) from the dropdown.  Finally click **Save** :
 70 | 
 71 | ![image alt text](./media/image_16.png)
 72 | 
 73 | You should now see the Mock Target Product in the list of API Products.  
 74 | 
 75 | 3. Typically, the client app developer will register his/her profile and the app profile, to obtain app credentials through a developer portal. However, for this lab, we will create these entities through the Apigee Edge Management UI. 
 76 | 
 77 | First let's create the developer profile. To do this, click on **Publish** → **Developer**:
 78 | 
 79 | ![image alt text](./media/image_17.png)
 80 | 
 81 | Click on **+Developer** in the upper right of the screen:![image alt text](./media/image_18.png)
 82 | 
 83 | 4. Fill out the fields with your **own name and email address** and click **Create**:
 84 | 
 85 | ![image alt text](./media/image_19.png)
 86 | 
 87 | You should see the new Developer you just created in the list.  
 88 | 
 89 | 5. Click on **Publish** → **Apps**
 90 | 
 91 | ![image alt text](./media/image_20.png)
 92 | 
 93 | Click on **+App** in the upper right of the screen:
 94 | 
 95 | ![image alt text](./media/image_21.png)
 96 | 
 97 | 6. Fill out the details in the App screen as shown below.  Click **Save**:
 98 | 
 99 | ![image alt text](./media/image_22.png)
100 | 
101 | You will now see your list of Apps again.  Click on your **Mock Target App** again and click the "Show/Hide" buttons next to the **Consumer Key** and **Consumer Secret** fields. Make a note of the Consumer Key and Consumer Secret so you can use them later. These are the client credentials you will need to get your OAuth token:
102 | 
103 | ![image alt text](./media/image_23.png)
104 | 
105 | ## Create OAuth Token Endpoints
106 | 
107 | 1. First, we must set up the OAuth token endpoint. To do this, download the API proxy bundle from [here](https://github.com/aliceinapiland/AdvancedVirtualAPIJam/raw/master/SecurityJam/Lab%205%20-%20External%20OAuth%20Token%20using%20Okta/resources/oauth-okta-integration.zip).
108 | 
109 | 2. Once downloaded, navigate to **Develop -> API Proxies** in the Apigee Edge Management UI:
110 | ![image alt text](./media/Develop-APIProxies.png)
111 | 
112 | 3. Click the **+Proxy** button.
113 | ![image alt text](./media/AddProxy.png)
114 | 
115 | 4. In the proxy creation wizard, select the **Proxy Bundle** option and click **Next**.
116 | ![image alt text](./media/AddOktaIntegrationOAuthProxy-ProxyAddWizardOption.png)
117 | 
118 | 5. On the next screen, click **Choose File** and upload the previously downloaded proxy bundle zip. Then click **Next**.
119 | ![image alt text](./media/ChooseProxyBundle.png)
120 | 
121 | 6. On the next screen, click **Build** to build the proxy.
122 | ![image alt text](./media/BuildProxyBundle.png)
123 | 
124 | 7. Confirm that the proxy was uploaded successfully and click on the view proxy link:
125 | ![image alt text](./media/ViewProxyBundle.png)
126 | 
127 | 8. On the Proxy Overview page, click the **Deployment** button, and select the **test** environment. Click **Deploy** in the confirmation pop-up.
128 | ![image alt text](./media/DeployProxyBundle.png)
129 | ![image alt text](./media/DeployProxyBundleConfirm.png)
130 | 
131 | ## Secure Mock Target API proxy with OAuth Access Token verification
132 | 
133 | **Note: These steps should have already been completed during Lab 3, so please skip if you have already completed Lab 3.**
134 | 
135 | 1. Navigate to **Develop -> API Proxies** in the Apigee Edge Management UI:
136 | ![image alt text](./media/Develop-APIProxies.png)
137 | 
138 | 2. In the API Proxy list, search and select the **Mock-Target-API** proxy:
139 | ![image alt text](./media/SearchAPIProxy.png)
140 | 
141 | 3. On the proxy overview screen, click the **Develop** tab:
142 | ![image alt text](./media/ProxyDevelopTab.png)
143 | 
144 | 4. In the proxy develop screen, select the **PreFlow** from the menu on the left:
145 | ![image alt text](./media/SelectPreFlow.png)
146 | 
147 | 5. Click the **+Step** button on the request pipline of the PreFlow, as shown below:
148 | ![image alt text](./media/AddStep.png)
149 | 
150 | From the pop-up menu, select the OAuth v2.0 policy and click **Add** as shown below:
151 | ![image alt text](./media/AddOAuthPolicy.png)
152 | 
153 | Select the policy in the flow and edit the policy's XML configuration as shown below (note: the policy order does not matter):
154 | ![image alt text](./media/OAuthPolicyConfig.png)
155 | 
156 | Then, click **Save**.
157 | ![image alt text](./media/SaveProxy.png)
158 | 
159 | ## Test
160 | 
161 | Now that we have configured the end user credentials in Okta, and the API Proxy and App credentials in the Apigee Edge, let us proceed to test the OAuth resource owner / password flow end to end.
162 | 
163 | 1. (Optional) Navigate to the proxy overview screen of the "oauth-okta-integration" proxy and  start the **Trace** session:
164 | ![image alt text](./media/StartTraceOAuthProxy.png)
165 | 
166 | 2. Send the following token generation request to the access token endpoint, using a terminal or a [REST client](https://apigee-rest-client.appspot.com):
167 | ```
168 | curl -X POST -H "Accept:application/json" -H "Content-Type:application/x-www-form-urlencoded" -d 'grant_type=password&user={{okta_user}}&password={{okta_password}}&client_id={{client_id}}&client_secret={{client_secret}}' "https://{{org}}-{{env}}.apigee.net/oauth-ext/token"
169 | ```
170 | 
171 | ![image alt text](./media/RESTClient-OAuthRequest1.png)
172 | ![image alt text](./media/RESTClient-OAuthRequest2.png)
173 | 
174 | Note down the generated access token:
175 | ![image alt text](./media/RESTClient-OAuthResponse.png)
176 | 
177 | Also, note in the Trace session that the Service Callout policy in the "oauth-okta-integration" proxy is called to validate the end user identity in Okta. On successful authentication, the proxy uses the OAuthV2 policy to generate the access token.
178 | ![image alt text](./media/TraceResultOAuthProxy.png)
179 | 
180 | 3. Now, let us test the "Mock-Target-API" proxy which we have now protected with the OAuthV2 policy.
181 | (Optional) Navigate to the proxy overview screen of the "Mock-Target-API" proxy, and start the Trace session:
182 | ![image alt text](./media/StartTraceProxy.png)
183 | 
184 | 4. Send in a request to the API Proxy without the authorization:
185 | ```
186 | curl -X GET "http://{{org}}-{{env}}.apigee.net/mock-target-api"
187 | ```
188 | 
189 | Notice that an error response is returned since the access token was not sent in the request:
190 | ![image alt text](./media/RESTClient-ProxyResponse.png)
191 | 
192 | 5. Now, send in an API request with the access token in the Authorization header:
193 | ```
194 | curl -X GET -H "Authorization:Bearer {{access token}}" "http://{{org}}-{{env}}.apigee.net/mock-target-api"
195 | ```
196 | 
197 | Once the access token is validated, a successful API response is returned:
198 | ![image alt text](./media/RESTClient-ProxyResponseSuccess.png)
199 | 
200 | ## Lab Video
201 | 
202 | [Apigee/Okta Integration: Resource Owner / Password Grant Flow in Action](https://youtu.be/OKCySDIwZ1E)
203 | 
204 | ## Earn Extra-points
205 | * Try out the okta integration proxy for the delegated token generation case where Okta mints the OAuth access token instead of Apigee, as documented here: 
206 | 	- [Apigee Community Article](https://community.apigee.com/articles/28752/apigeeokta-integration-resource-owner-password-gra.html)
207 | 	- [Proxy](https://github.com/prithpal/apigee-okta-integration)
208 | 
209 | * Also, see the advanced example for Open ID Connect with Okta, [here](https://github.com/apigee/apigee-okta).
210 | 
211 | ## Summary
212 | 
213 | In this lab, you have now created an OAuth 2.0 access token endpoint to generate and refresh tokens in the resource owner / password grant type method after validating app end user credetials against an Identity Provider (Okta), and have secured your API such that a valid token must be presented to authorize requests to your API.
214 | 
215 | ## References
216 | 
217 | * [Implementing the Password Grant Type for OAuth 2.0 on Apigee Edge](https://docs.apigee.com/api-platform/security/oauth/implementing-password-grant-type)
218 | 
219 | * [OAuthV2 policy cofiguration reference](https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy)
220 | 


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddAPIProduct.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddAPIProduct.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddAPIProductDetails.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddAPIProductDetails.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddApp.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddApp.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddAppDetails.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddAppDetails.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddDeveloper.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddDeveloper.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddDeveloperDetails.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddDeveloperDetails.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddOAuthPolicy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddOAuthPolicy.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddOktaIntegrationOAuthProxy-OrgDefaultTeam.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddOktaIntegrationOAuthProxy-OrgDefaultTeam.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddOktaIntegrationOAuthProxy-ProxyAddWizardOption.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddOktaIntegrationOAuthProxy-ProxyAddWizardOption.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddProxy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddProxy.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddStep.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/AddStep.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/BuildProxyBundle.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/BuildProxyBundle.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/ChooseProxyBundle.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/ChooseProxyBundle.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/DeployProxyBundle.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/DeployProxyBundle.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/DeployProxyBundleConfirm.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/DeployProxyBundleConfirm.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/Develop-APIProxies.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/Develop-APIProxies.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/OAuthPolicyConfig.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/OAuthPolicyConfig.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/Okta-User-Created.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/Okta-User-Created.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/ProxyBundleOption.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/ProxyBundleOption.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/ProxyDevelopTab.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/ProxyDevelopTab.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/Publish-APIProducts.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/Publish-APIProducts.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/Publish-Apps.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/Publish-Apps.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/Publish-Developers.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/Publish-Developers.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-OAuthRequest1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-OAuthRequest1.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-OAuthRequest2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-OAuthRequest2.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-OAuthResponse.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-OAuthResponse.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-Okta-User-API-Request1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-Okta-User-API-Request1.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-Okta-User-API-Request2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-Okta-User-API-Request2.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-Okta-User-API-Response.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-Okta-User-API-Response.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-ProxyResponse.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-ProxyResponse.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-ProxyResponseSuccess.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/RESTClient-ProxyResponseSuccess.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/SaveProxy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/SaveProxy.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/SearchAPIProxy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/SearchAPIProxy.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/SearchApp.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/SearchApp.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/SelectClientCreds.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/SelectClientCreds.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/SelectPreFlow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/SelectPreFlow.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/StartTraceOAuthProxy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/StartTraceOAuthProxy.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/StartTraceProxy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/StartTraceProxy.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/TraceResultOAuthProxy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/TraceResultOAuthProxy.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/ViewProxyBundle.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/ViewProxyBundle.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_14.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_15.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_16.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_17.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_17.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_18.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_18.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_19.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_19.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_20.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_20.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_21.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_21.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_22.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_22.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_23.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/image_23.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/media/password-grant-flow-diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/media/password-grant-flow-diagram.png


--------------------------------------------------------------------------------
/SecurityJam/Lab 5 - External OAuth Token using Okta/resources/oauth-okta-integration.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aliceinapiland/AdvancedVirtualAPIJam/289b7ec298fb263093f812dd4328979a8fd18a62/SecurityJam/Lab 5 - External OAuth Token using Okta/resources/oauth-okta-integration.zip


--------------------------------------------------------------------------------
/SecurityJam/Links.txt:
--------------------------------------------------------------------------------
 1 | Sign Up: https://goo.gl/ALGs3M
 2 | 
 3 | Advanved Virtual API Jam - Security (repo): https://goo.gl/LhAXLF
 4 | 
 5 | Lab 1: https://goo.gl/CQ6VnJ
 6 | 
 7 | Lab 2: https://goo.gl/t1guSF
 8 | 
 9 | Lab 3: https://goo.gl/xBMaav
10 | 
11 | Lab 4: https://goo.gl/y6nXgJ
12 | 
13 | Lab 5: https://goo.gl/6S2iJr
14 | 
15 | Feedback Form: https://goo.gl/forms/HICelSO2ejzakMSk1


--------------------------------------------------------------------------------
/SecurityJam/README.md:
--------------------------------------------------------------------------------
 1 | # **Apigee Edge Virtual API Jam - Security**
 2 | Apigee’s API Jam on Security is a hands-on workshop that will jumpstart your understanding of API security. Our experts will walk you through five lab exercises that will help you throttle, protect, and secure your APIs by utilizing modern security principles like OAuth 2.0 and JWT. 
 3 | 
 4 | API developers and architects who want to build a secure API, this workshop is for you!
 5 | 
 6 | ## **Who should attend?**
 7 | This workshop will be valuable to API developers, architects, and anyone who wants to understand how to secure APIs exposed through Apigee Edge.
 8 | 
 9 | ## **What do attendees need to bring**
10 | - Register for the session. Make sure to register for the Virtual API Jam so that we can send you the relevant connection details to join the online session.
11 | - Browser (Chrome). A modern web browser like Chrome (v50+) to access the Apigee Edge Platform UI.
12 | - An Apigee Account. Create and activate your free Apigee Edge account prior to attending the workshop. You can sign up for one at https://login.apigee.com/sign_up. Ensure that your Org has been provisioned as part of your trial account.
13 | - A basic understanding of Apigee Edge entities such as API Proxies, Apps, and Products. For a refresher of the API Management Lifecycle, please complete lab exercises in the Virtual API Jam [here](https://github.com/rmistry75/devjam3/tree/master/Labs/VirtualAPIJam).
14 | 
15 | ## **Workshop Agenda**
16 | 
17 | - Introduction to API Security
18 | - [Lab 1: Throttle your API Traffic to prevent DoS](https://goo.gl/CQ6VnJ)
19 | - [Lab 2: Protect your APIs against content-based threats](https://goo.gl/t1guSF)
20 | - [Lab 3: OAuth 2.0 based API security](https://goo.gl/xBMaav)
21 | - [Lab 4: JWT based API security](https://goo.gl/hgg2Uh)
22 | - [Lab 5: OAuth 2.0 based API security using an External Identity Platform such as Okta](https://goo.gl/6S2iJr)
23 | - Demo of the Apigee Sense API Security Platform
24 | 


--------------------------------------------------------------------------------
/SecurityJam/README.org:
--------------------------------------------------------------------------------
 1 | # **Apigee Edge Virtual API Jam - Security**
 2 | Apigee’s API Jam on Security is a hands-on workshop that will jumpstart your understanding of API security. Our experts will walk you through five lab exercises that will help you throttle, protect and secure your APIs, by utilizing modern security principles like OAuth 2.0 and JWT, and simplifying developer on-boarding. 
 3 | 
 4 | API developers and architects who want to build a secure API, this workshop is for you!
 5 | 
 6 | ## **Who should attend?**
 7 | This workshop will be valuable to API developers, architects, and anyone who wants to understand how to secure APIs exposed through Apigee Edge.
 8 | 
 9 | ## **What do attendees need to bring**
10 | - Register for the session. Make sure to Register for the Virtual API Jam, so that we can send you the relevant connection details to join the online session.
11 | - Browser (Chrome). A modern web browser like Chrome (v50+) to access the Apigee Edge Platform UI.
12 | - An Apigee Account. Create and activate your free Apigee Edge account, prior to attending the workshop. You can sign up for one at https://login.apigee.com/sign_up. Ensure that your Org has been provisioned as part of your trial account.
13 | - A basic understanding of Apigee Edge entities such as API Proxies, Apps, and Products. For a refresher of the API Management Lifecycle, please complete lab exercises in the Virtual API Jam here.
14 | 
15 | ## **Workshop Agenda**
16 | 
17 | - Introduction to API Security
18 | - [Lab 1: Throttle your API Traffic to prevent DoS](https://goo.gl/CQ6VnJ)
19 | - [Lab 2: Protect your APIs against content-based threats](https://goo.gl/t1guSF)
20 | - [Lab 3: OAuth 2.0 based API security](https://goo.gl/xBMaav)
21 | - [Lab 4: JWT based API security](https://goo.gl/hgg2Uh)
22 | - Lab 5: Use Apigee with Okta Identity Protection
23 | - Demo of the Apigee Sense API Security Platform
24 | 


--------------------------------------------------------------------------------