How can we configure client-id in basic authentication policy and how we can verify that in verify-api key policy?
Solved! Go to Solution.
Basic authentication policy is simply a policy that can base64 encode or decode a string into its constituent variables. It actually doesn't verify anything like client_id or secret or anything like that.
If you want to verify the client_id, you need to use the VerifyApiKey policy, a sample of that would look like this:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <VerifyAPIKey async="false" continueOnError="false" enabled="true" name="VerifyAPIKey"> <DisplayName>VerifyAPIKey</DisplayName> <Properties/> <APIKey ref="client_id"/> </VerifyAPIKey>
If your use-case is something like this:
"The client would pass the client_id and secret as a Base64 encoded Basic Auth header, and you would like to perform a VerifyAPIKey operation on that after extracting the key from the basic auth header."
In the above case, you would have a BasicAuthentication policy with the encode operation like below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <BasicAuthentication async="false" continueOnError="false" enabled="false" name="BasicAuthentication"> <DisplayName>BasicAuthentication</DisplayName> <Operation>Decode</Operation> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <User ref="client_id"/> <Password ref="client_secret"/> <Source>request.header.Authorization</Source> </BasicAuthentication>
Once this policy executes, you would have the client_id in the "client_id" variable and secret in the "client_secret" variable. After that you can invoke the VerifyAPIKey policy as show above, which refers to the client_id variable. I hope this helps.
If this answers your query please accept my answer so that the others can benefit from it.
@Rajesh Nimmada , Can you please update the question what exactly you are trying to do ?what you are expected to see ? What do you see ?
Basic authentication policy is simply a policy that can base64 encode or decode a string into its constituent variables. It actually doesn't verify anything like client_id or secret or anything like that.
If you want to verify the client_id, you need to use the VerifyApiKey policy, a sample of that would look like this:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <VerifyAPIKey async="false" continueOnError="false" enabled="true" name="VerifyAPIKey"> <DisplayName>VerifyAPIKey</DisplayName> <Properties/> <APIKey ref="client_id"/> </VerifyAPIKey>
If your use-case is something like this:
"The client would pass the client_id and secret as a Base64 encoded Basic Auth header, and you would like to perform a VerifyAPIKey operation on that after extracting the key from the basic auth header."
In the above case, you would have a BasicAuthentication policy with the encode operation like below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <BasicAuthentication async="false" continueOnError="false" enabled="false" name="BasicAuthentication"> <DisplayName>BasicAuthentication</DisplayName> <Operation>Decode</Operation> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <User ref="client_id"/> <Password ref="client_secret"/> <Source>request.header.Authorization</Source> </BasicAuthentication>
Once this policy executes, you would have the client_id in the "client_id" variable and secret in the "client_secret" variable. After that you can invoke the VerifyAPIKey policy as show above, which refers to the client_id variable. I hope this helps.
If this answers your query please accept my answer so that the others can benefit from it.
sorry for jumping in 🙂
Above solution mentioned by @arghya das have one big advantage
However
Is it okay to perform basic authentication above way?
Is it a bad practice for all of us who are apigee customers / users ?
Can someone shed light on it
Thanks & Regards
Sujith Mathew
This BasicAuthentication policy does not enforce Basic Authentication on a request to an API proxy. Instead, you use it to Base64 encode/decode credentials.
More info here http://docs.apigee.com/api-services/reference/basic-authentication-policy
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |