Solved: passing plain username and password to target endp...

rajkalgur · 02-05-2024 05:33 PM

Hi,

I have a policy where specified plain username and password and passing it over to the target endpoint.

any suggestions, implementations/examples to achieve the same in APIGEE.

dchiesa1

Yes, you can retrieve the username/password credentials from the KVM, or from some other store, if you prefer.

Let's take a step back. The BasicAuthentication policy does one of two things: ENCODE or DECODE a Basic Auth header. You want to ENCODE, as I understand. That's pretty simple: take a username, and a password, concatenate them with a colon separating them, then base64-encode that blob, and then insert the keyword "Basic " in front of the result, and insert that into the Authorization header.

The BasicAuthentication policy allows you to specify variables that hold the username and password. In your configuration it looks like you used request.header.username and request.header.password as the variables. Those variables will hold the values of the headers in the ambient request - the Username header and the password header. Maybe you got that policy configuration from a sample.

But of course you can refer to any variable. And in particular, you can refer to variables that were loaded with values via a KeyValueMapOperations policy with GET operation. In other words you can read them from KVM. Supposing that your KVM policy reads like this;

<KeyValueMapOperations name='KVM-Get-1' >
  <Scope>environment</Scope>
  <ExpiryTimeInSecs>300</ExpiryTimeInSecs>
  <Get assignTo='private.username'>
    <Key>
      <Parameter>username-for-backend-1</Parameter>
    </Key>
  </Get>
  <Get assignTo='private.password'>
    <Key>
      <Parameter>password-for-backend-1</Parameter>
    </Key>
  </Get>
</KeyValueMapOperations>

Then your basic auth policy can refer to private.username and private.password :

<BasicAuthentication name='BA-1'>
   <DisplayName>Encode Basic Authentication Header</DisplayName>
   <Operation>Encode</Operation>
   <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
   <User ref='private.username'/>
   <Password ref='private.password'/>
   <AssignTo createNew='false'>request.header.Authorization</AssignTo>
</BasicAuthentication>

View solution in original post

rajkalgur

can we use basic authentication policy? to mimic the same in APIGEE

dchiesa1

yes, that's the point of that policy.

rajkalgur

Thanks Dino. I have implemented the solution and its working. just checking if there is any scope for improvement.

I injected headers username and password and passing them to Basic authentication policy like below. We hardcoded username and password. can we use KVM ? is it possible to retrieve the credentials from kvm and pass it under headers?

dchiesa1

Yes, you can retrieve the username/password credentials from the KVM, or from some other store, if you prefer.

Let's take a step back. The BasicAuthentication policy does one of two things: ENCODE or DECODE a Basic Auth header. You want to ENCODE, as I understand. That's pretty simple: take a username, and a password, concatenate them with a colon separating them, then base64-encode that blob, and then insert the keyword "Basic " in front of the result, and insert that into the Authorization header.

The BasicAuthentication policy allows you to specify variables that hold the username and password. In your configuration it looks like you used request.header.username and request.header.password as the variables. Those variables will hold the values of the headers in the ambient request - the Username header and the password header. Maybe you got that policy configuration from a sample.

But of course you can refer to any variable. And in particular, you can refer to variables that were loaded with values via a KeyValueMapOperations policy with GET operation. In other words you can read them from KVM. Supposing that your KVM policy reads like this;

<KeyValueMapOperations name='KVM-Get-1' >
  <Scope>environment</Scope>
  <ExpiryTimeInSecs>300</ExpiryTimeInSecs>
  <Get assignTo='private.username'>
    <Key>
      <Parameter>username-for-backend-1</Parameter>
    </Key>
  </Get>
  <Get assignTo='private.password'>
    <Key>
      <Parameter>password-for-backend-1</Parameter>
    </Key>
  </Get>
</KeyValueMapOperations>

Then your basic auth policy can refer to private.username and private.password :

<BasicAuthentication name='BA-1'>
   <DisplayName>Encode Basic Authentication Header</DisplayName>
   <Operation>Encode</Operation>
   <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
   <User ref='private.username'/>
   <Password ref='private.password'/>
   <AssignTo createNew='false'>request.header.Authorization</AssignTo>
</BasicAuthentication>

rajkalgur

Thanks. Currently we are using APIGEE X. I am trying to create a KVM and given scope as environment and deployed. after the deployment, I am not seeing them under environments section. am i doing anything wrong here?

passing plain username and password to target endpoint