This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How can we configure client-id in basic authentication policy and how we can verify that in verify-api key policy?

Posted on 11-08-2016 10:08 AM
rajeshnimmadan
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

How can we configure client-id in basic authentication policy and how we can verify that in verify-api key policy?

Solved Solved
0 4 1,006
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
adas
New Member
Reply posted on --/--/---- --:-- AM

Basic authentication policy is simply a policy that can base64 encode or decode a string into its constituent variables. It actually doesn't verify anything like client_id or secret or anything like that.

If you want to verify the client_id, you need to use the VerifyApiKey policy, a sample of that would look like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyAPIKey async="false" continueOnError="false" enabled="true" name="VerifyAPIKey">
    <DisplayName>VerifyAPIKey</DisplayName>
    <Properties/>
    <APIKey ref="client_id"/>
</VerifyAPIKey>

If your use-case is something like this:

"The client would pass the client_id and secret as a Base64 encoded Basic Auth header, and you would like to perform a VerifyAPIKey operation on that after extracting the key from the basic auth header."

In the above case, you would have a BasicAuthentication policy with the encode operation like below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<BasicAuthentication async="false" continueOnError="false" enabled="false" name="BasicAuthentication">
    <DisplayName>BasicAuthentication</DisplayName>
    <Operation>Decode</Operation>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <User ref="client_id"/>
    <Password ref="client_secret"/>
    <Source>request.header.Authorization</Source>
</BasicAuthentication>

Once this policy executes, you would have the client_id in the "client_id" variable and secret in the "client_secret" variable. After that you can invoke the VerifyAPIKey policy as show above, which refers to the client_id variable. I hope this helps.

If this answers your query please accept my answer so that the others can benefit from it.

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
anilsr
Staff
Reply posted on --/--/---- --:-- AM

@Rajesh Nimmada , Can you please update the question what exactly you are trying to do ?what you are expected to see ? What do you see ?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
adas
New Member
Reply posted on --/--/---- --:-- AM

Basic authentication policy is simply a policy that can base64 encode or decode a string into its constituent variables. It actually doesn't verify anything like client_id or secret or anything like that.

If you want to verify the client_id, you need to use the VerifyApiKey policy, a sample of that would look like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyAPIKey async="false" continueOnError="false" enabled="true" name="VerifyAPIKey">
    <DisplayName>VerifyAPIKey</DisplayName>
    <Properties/>
    <APIKey ref="client_id"/>
</VerifyAPIKey>

If your use-case is something like this:

"The client would pass the client_id and secret as a Base64 encoded Basic Auth header, and you would like to perform a VerifyAPIKey operation on that after extracting the key from the basic auth header."

In the above case, you would have a BasicAuthentication policy with the encode operation like below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<BasicAuthentication async="false" continueOnError="false" enabled="false" name="BasicAuthentication">
    <DisplayName>BasicAuthentication</DisplayName>
    <Operation>Decode</Operation>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <User ref="client_id"/>
    <Password ref="client_secret"/>
    <Source>request.header.Authorization</Source>
</BasicAuthentication>

Once this policy executes, you would have the client_id in the "client_id" variable and secret in the "client_secret" variable. After that you can invoke the VerifyAPIKey policy as show above, which refers to the client_id variable. I hope this helps.

If this answers your query please accept my answer so that the others can benefit from it.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sjm2000
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

sorry for jumping in 🙂

Above solution mentioned by @arghya das have one big advantage

  • no separate user database to be maintained

However

  • client secret is supposed to "generate dynamic" token.

Is it okay to perform basic authentication above way?

Is it a bad practice for all of us who are apigee customers / users ?

Can someone shed light on it

Thanks & Regards

Sujith Mathew

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to sjm2000
Reply posted on --/--/---- --:-- AM

This BasicAuthentication policy does not enforce Basic Authentication on a request to an API proxy. Instead, you use it to Base64 encode/decode credentials.

More info here http://docs.apigee.com/api-services/reference/basic-authentication-policy

Jump to Solution
0 Likes