I am trying to create a Proxy which will receive 2 Authorization Headers, one with Bearer token and another with Basic. The Proxy should validate the Bearer and remove it and pass the Basic one to the backend service. I am not able to selectively remove one Auth header using the below as per the documentation
<Remove> <Headers> <Header name="Authorization.2"/> </Headers> </Remove>
Also when 2 headers are being sent Apigee is not able to selectively validate the Bearer. Is there a way to check the value and then remove that particular header only?
I don't know if there is any specification that disapproves having multiple-auth headers, but it's good to have custom headers to handle situations like this.
To test this, I created a proxy and added an extract-variable-policy on the request pipeline. It looks like this -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ExtractVariables async="false" continueOnError="false" enabled="true" name="Extract-Variables-1"> <DisplayName>Extract Variables-1</DisplayName> <Properties/> <Header name="Authorization"> <Pattern ignoreCase="false">Bearer {oauthtoken}</Pattern> </Header> <Header name="X-Authorization"> <Pattern ignoreCase="false">Basic {basicauth}</Pattern> </Header> <Source clearPayload="false">request</Source> </ExtractVariables>
When I send the following request, I see that both oauthtoken and basicauth variables will be populated -
curl -v "http://edgeorg-test.apigee.net/api1" -H "Authorization : Bearer 123" -H "X-Authorization : Basic dG9iYWNrZW5k"
Once you have the values extracted, you can remove the header with an Assign-Message-policy similar to this -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1"> <DisplayName>Assign Message-1</DisplayName> <Properties/> <Remove> <Headers> <Header name="X-Authorization"/> </Headers> </Remove> <AssignTo createNew="false" transport="http" type="request"/> </AssignMessage>
Hope this helps!
The problem is that this is a migration project from another API Management tool so i cannot change the existing. I was trying an alternate solution,whereby I am Extracting the headers and then removing and setting them again. I noticed a strange thing. If the header name is Authorizations or anything else, the below code works.
<Header name="Authorizations"> <Pattern ignoreCase="true">Bearer {oauthtoken}</Pattern> </Header> <Header name="Authorizations"> <Pattern ignoreCase="true">Basic {basictoken}</Pattern> </Header>
However if you just change the name to Authorization it doesn't work anymore. It seems there is some definition associated with the header name which extracts to a string and not to an array as in the documentation. Doesn't this sound like a bug to you?
Ok. I understand. Authorization is a standard HTTP header, but not Authorizations. Hence extracting headers works with that approach only when it's Authorizations. I also believe Apigee Edge does not allow you to send multiple authorization headers.
@ishitachakraborty , What does request look like to the proxy & to the target server ? Are you sending two headers with same name & different value or one header with a value separated by comma or any delimitter ?
@Anil Sagar The request being sent to the Proxy has 2 Authorization headers as below:-
Content-Type:application/json
Authorization:Bearer TncQuodX0zk8Is8ds1D6UVVK7
Authorization:Basic c3RhZ2U6c3RhZ2UjMWNvcH
Accept:application/json
So yes, 2 headers with same name and different values. However i think that the Proxy is interpreting is as a 1 header with 2 values. Because the array and pattern functionality work great if I even rename the header to anything else.
@ishitachakraborty , When i try to send two headers with Authorization as key Apigee Edge cloud generates router / DNS kind of error. Do you see same ? Are you working on OnPremises ?
@Anil Sagar Yes I am working on premise. and there is no router/DNS error. Infact I have created a workaround also using JS to split the headers ( since Edge is concatenating it as a string) and then adding it back one by one which seems to work kinda fine for now.
User | Count |
---|---|
2 | |
2 | |
1 | |
1 | |
1 |