How to provide security for API's in Apigee without using OAuth.

Not applicable

We are trying to provide security for API's without using OAuth. We want it by using User credentials(Username and Password).

Solved Solved
5 12 1,147
1 ACCEPTED SOLUTION

@Radhika Sharma

Are you passing the "Authorization" header in your request?

This policy decodes the username and password from the Authorization HTTP header, as specified by the <Source> element. You need to pass the Base64 encoded string in the form Basic Base64EncodedString. See the attached image -

610-postman-img.png

View solution in original post

12 REPLIES 12

Hi Radhika, You could use Basic Authentication policy to do that,

http://apigee.com/docs/api-services/reference/basic-authentication-policy

This policy will request the clients for user/pass, and will be accessible to you in the flow. You could use it to validate against your existing identity provider or use API Baas to manage your identity store

Thank You Mukundha. But while I'm tracing 500 error is coming. What is the problem with that.

the error suggests missing Authorization header in the client request.. are you sure of sending basic auth header from your client?

can you also share your policy / proxy?

Not applicable

Is that 500 because of the 'Basic Authentication' policy failure?

You should use the 'Decode' function if you are trying to authenticate:

<BasicAuthentication name="DecodeBaseAuthHeaders">
   <DisplayName>Decode Basic Authentication Header</DisplayName>
   <Operation>Decode</Operation>
   <User ref="username_variable" />
   <Password ref="password_variable" />
   <Source>request.header.Authorization</Source>
</BasicAuthentication>

Is your policy something similar? If yes, and you if you are sending a proper basic auth (Authorization) header, you should see these 2 variables in your flow, with the appropiate values you can then use to authenticate:

username_variable
password_variable

I tried with decode function also. I'm using basic authentication header. But still I'm getting 500 error and showing the error message as below:

{"fault":"{\"detail\":{\"errorcode\":\"steps.basicauthentication.UnresolvedVariable\"},\"faultstring\":\"Unresolved variable : request.header.Authorization\"}"}

@Radhika Sharma

Are you passing the "Authorization" header in your request?

This policy decodes the username and password from the Authorization HTTP header, as specified by the <Source> element. You need to pass the Base64 encoded string in the form Basic Base64EncodedString. See the attached image -

610-postman-img.png

I'm getting the following error. How can I get the Base64 Encoded String.

@Radhika Sharma , You can do base64 encode using this online tool here . Click on encode and use username:password in the text box.

Thank You Anil Sagar. Now I can able to get the base64 encode using that tool. If I want to display the data in Browser using my username and password, how can I do that.

If you use Postman, you can get the base64 string for your username and password. Enter your credentials and click Refresh Headers. It will set Authorization header for the API call.

615-postman-base64-encode.png

If you are looking for a library to create Base64 encoding string on your Web app, there are a bunch of JS libraries available which can help you. Check out this StackOverflow post.

Thank you Sudheendra. Now, I can able to get the data in postman client. Even though when I click Refresh headers I can't able to see the data in browser when I'm giving the API.

Click on Headers button, it will show all the Headers that are set. You will see the Base64 encoded Auth header.