Call to Basic Auth API Server causing a 302 Redirect - Basic Authentication issue?

Not applicable

I am trying to connect to an API server requiring Basic Authentication.

I have a KVM created called "MyKVM" with username and password keys (and their values).

I have this KVM Policy attached in the Proxy PreFlow:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyValueMapOperations continueOnError="false" enabled="true" name="getCredentials" mapIdentifier="MyKVM" async="false">
    <DisplayName>getCredentials</DisplayName>
    <ExclusiveCache>false</ExclusiveCache>
    <ExpiryTimeInSecs>300</ExpiryTimeInSecs>
    <Get assignTo="username" index="1">
        <Key>
            <Parameter>username</Parameter>
        </Key>
    </Get>
    <Get assignTo="password" index="1">
        <Key>
            <Parameter>password</Parameter>
        </Key>
    </Get>
    <Scope>environment</Scope>
</KeyValueMapOperations>

I have this Basic Authorization policy attached next in the Proxy PreFlow:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<BasicAuthentication name="BasicAuthorization">
    <DisplayName>BasicAuthorization</DisplayName>
    <Operation>Encode</Operation>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <User ref="username"/>
    <Password ref="password"/>
    <AssignTo createNew="false">request.header.Authorization</AssignTo>
</BasicAuthentication>

Now when I attempt to call the API server, the server is sending a 302 (redirect) without accepting my authentication and not resulting in a GET of the API information I'm looking for.

I know this is a very simple process. Please tell me if my Policies are wrong or something on my API server is causing the problem (with the redirect). I've read that a Redirect will strip the Header information but is there a way in Apigee to prevent that or replace the Header information. Thanks.

*** Additional comments***

It's possible my Endpoints or routing is not correct....

The way the API server behaves is:

www.example.com redirects to www.example.com/folder/login

when you login, it takes you to www.example.com/v2/myAPI

So I'm not sure how to put the Target URL and the basepath.

My current target URL is Default at www.example.com

My current basepath is /v2/myAPI.

If I change the Target URL to www.example.com/folder/login, it gives me 200 but does not pass Basic auth header and login for me, thus giving me access to www.example.com/v2/myAPI

Thanks for any help.

0 6 2,325
6 REPLIES 6

akoo
Participant V

Hi @Todd Cavanaugh,

Without knowing your backend details, it would seem odd that invalid authentication would result in a 302; I would instead expect a 401. Can you try calling your backend directly with the credentials and let us know if you still get a 302 redirect?

Direct URL call of "https://www.example.com/api?username=xxxx&password=yyyy" results in a 401. If I go to root site, "https://www.example.com", it redirects me to "https://www.example.com/portal/login.html". I am then prompted to login. If I do this manually, it appears to create a session cookie. Then I'm able to get a 200 from example URL. However, I still get a 302 through Apigee link. Could my Target Endpoint URL be set wrong? Do I need to add "portal/login.html" to it? Any other thoughts?

I suspect your target endpoint URL is set wrong. In addition, you will want to be able to call your target endpoint URL with the exact headers, query params, payload etc. that will yield a good response (whether that be a token, 200 OK, or something else). I am also concerned that you are using basic authentication to directly protect resources-- as I understand, you are not providing an access token in response. But that is a separate discussion.

Hey Alex, I just posted some more useful info if you could help me....see additions to my post above. (#4 and #5 in the list most importantly)

Hey Todd, I would say that #4 and #5 are best handled in your client application that is consuming the response from your backend. The client app would pull the JSESSIONID cookie out of the header in the response and use it on subsequent API calls.

The subsequent API calls should be decoupled from your JSESSIONID cookie retrieval API call.

Taking a step back, I would also recommend leveraging OAuth 2.0 and perhaps RO Password Credentials grant type (assuming this is a trusted app based on what I'm seeing). This way Edge can identify the application that is requesting access and username/password is sent in elsewhere.

Not applicable

I was able to obtain the Rules for access to my API Server...

Here are the steps to access put forth by the API server...

1. Obtain a valid username and password for your account

2. Encode the username and password: Using Base64 Encoding, encode the username and password with a colon separating them to obtain the encoded credentials e.g. johnsmith@mail.com:mysecurepassword -> am9obnNtaXRoQG1haWwuY29tOm15c2VjdXJlcGFzc3dvcmQ=

3. Put an HTTP request header called "Authorization" on any API request with the value of "Basic " e.g. Authorization: Basic am9obnNtaXRoQG1haWwuY29tOm15c2VjdXJlcGFzc3dvcmQ=

4. The HTTP response will include a "Set-Cookie" header that contains a short lived session id that can be used for additional authorization requests e.g. Set-Cookie: JSESSIONID=4664C731A74FA93252FE9896FF389E2D; Path=/

5. Use the JSESSIONID cookie on all subsequent API requests e.g. Cookie: JSESSIONID=4664C731A74FA93252FE9896FF389E2D

Unfortunately, I am not a coder and merely learn by reading or asking questions.

In Apigee, can one of you guide me through the #4 and #5 above in Apigee (in layman's terms, step by step). I realize that I may just need to post this cookie question in a Javascript forum but any help is appreciated.