Biscuit to ApiKey Bridge Plugin
The Biscuit API Key Bridge Plugin is a pre-routing plugin designed for Cloud APIM. It extracts an API key from the request Biscuit Token, ensuring secure access control.
Configuration
The plugin requires the following configuration parameters:
| Parameter | Type | Description |
|---|---|---|
keypair_ref | String | Reference to the Biscuit Keypair used for token verification. |
enforce | Boolean | If true, the plugin enforces API key validation. Defaults to true. |
extractor_type | String | Specifies how the token is extracted. Possible values: header, cookie, query. |
extractor_name | String | The name of the field where the token is stored. Defaults to Authorization. |
client_id_key | String | The name of the Client ID key from the biscuit token. |
Default Configuration
{
"keypair_ref": "",
"enforce": true,
"extractor_type": "header",
"extractor_name": "Authorization",
"client_id_key": "client_id"
}
Plugin Behavior
Pre-Routing Logic
- Retrieves the Biscuit token from the specified source (
extractor_typeandextractor_name). - Validates the token using the referenced Biscuit Keypair.
- Extracts the
client_idfrom the token (using 'client_id_key' or default 'client_id' symbol from biscuit). - Checks if the corresponding API Key exists and is active.
- If the API Key is inactive and
enforceistrue, the request is rejected.
Error Handling
- If the Biscuit token is missing and
enforceistrue, anunauthorizederror is returned. - If the Biscuit token is invalid or cannot be verified, an
internal server erroris returned. - If the extracted API Key does not exist, an
unauthorizederror is returned.