2 Authorization header- Microgateway uses Oauth2 with header "Authorizatation : Bearer XXXXXX" and Target server requires Basic Auth Header

Not applicable

Hi,

I have a target server which requires a Basic Auth header i.e "Authorization : Basic XXXXXX" and in our organization to make calls through Migrogateway, we are using Oauth token with header "Authorization : Bearer XXXXXXXXXXX" instead of x-api-key header.

My problem is how to make call via microgateway to the proxy created for such a target server. Since Microgateway cant access the header added by any policy on APIGEE EDGE.

Please let me know if such a custom microgateway plugin exists or do I need to write a cusom plugin myself to solve this issue.

P.S I cannot change Oauth to use x-api-key header as this is an organization standard.

0 10 1,564
10 REPLIES 10

It seems you'll need to write a custom plugin then. You can use this sample that shows how to add headers to requests.

https://github.com/apigee/microgateway-plugins/tree/master/header-uppercase

This other sample shows how to extract a basic authorization header. It shows how to manipulate base64 encoding/decoding.

https://github.com/apigee/microgateway-plugins/tree/master/bauth

One thing you'll need to figure out is where to safely store the userid/password to be added to the basic authorization. Note that having the x-api-key wouldn't be enough, as basic authentication requires a userid and password, and the api key is essentially just a user id, you'd need to completement it with the api secret.

Former Community Member
Not applicable

I think @deboraelkin's solution is the right one. But before we settle on that, the OAuth token is sent in the authorization header. How are the basic auth credentials sent? some sort of a custom header? It is always the same basic auth to the backend?

Thanks @deboraelkin @srinandans for the response. We are yet to decide on how to manage the client credentials. We don't want to store the credentials in our environment

We would ideally want the client to take the responsibility of sending a header with base64 encoded.

If I may ask is there a way where the user can send 2 header with same name Authorization where Authorization : Bearer XXXXXX gets picked up by Oauth and Authorization : Basic XXXX gets passed along to target server.

Or Custom header with custom plugin is the only solution since there cannot be two Authorization headers.

Let me know what would be the best practices to follow in this scenario.


It seems as if you'll have to go with a custom header.

The HTTP protocol specifies that no duplicate headers should be sent (with the exception of set-cookie).

Even if you send duplicate authorization headers, the microgatweway oauth plugin will only pick one and you can't predict which one (it uses Node.js request module which explicitly discards duplicate authorization headers:https://nodejs.org/api/http.html#http_message_headers)

Former Community Member
Not applicable

There are two options:

1) As @deboraelkin suggests, a custom header. You'll need a custom plugin for this.

2) I read you can send multiple tokens in the same header according to the specification. Like this

Authorization: Bearer xxxxx; Basic nnnnn

MG currently doesn't handle this. You'll still need a custom plugin.

Hi @deboraelkin @srinandans : Thanks for the response again.

I examined the oauth MGW plugin and here is what I have found out.

In the scenario where we pass 2 Authorization header

Authorization : Basic XXXXXX 
Authorization : Bearer YYYYYY

The Outh plugin receives a single Authorization header with Basic and Bearer as comma separated as shown below.

Authorization: Basic XXXXXX , Bearer YYYYY

The ordering of values before and after coma depends on the order in which Authorization header is passed. In this case Basic first & Bearer next. Hence the above order.

We want to do implement the following as a solution

1. Let user send 1 Authorization header in the format :

Authorization: Basic XXXXXX , Bearer YYYYY

2. Edit the oauth plugin itself to extract and store the Basic value if it exists.

3. Make sure that only Bearer value gets passed for token verify method.

4. Make sure to add Authorization header with Basic value only to be passed to target server.

I am skipping details related to code changes on Outh plugin to make the above steps work.

Please let me know if this solution is acceptable or any suggestion for improvements.

I am planning to avoid writing custom plugin because we might need to include this to only few proxies.

With the current solution, Oauth works on all proxies and no config.yml file change required.

The moment you modify the oauth plugin, you're essentially having a custom plugin.. with the added risk that your changes may be lost if you upgrade microgateway to a newer version.

It's probably best to give it a different name (even if the code is essentially the same) and make it a true custom plugin. Once you have your custom plugin you can disable the default oauth plugin

Thanks @deboraelkin , I had not thought about the upgrade. This info is very helpful.

EMG (Edge Microgateway) supports changing the Authorization Header name (default is Authorization: Bearer) to a custom header (say 'x-emg-authorization'), via a setting within the OAuth Section of your config.yaml file. This would be the easiest option to ensure that you can use one header for EMG Auth and then continue to use the "Authorization" header for your target / back-end applications. This would eliminate the need for custom code / plugins and a sample config is provided below.

oauth: 
  allowNoAuthorization: false
  allowInvalidAuthorization: false
  authorization-header: 'x-emg-authorization'
  gracePeriod: 10

pxzxz1
Participant IV

Hello

Is this question is solved? I encounter similar Authorization in Header problem. I am using OAuth2 (Authorization: Bearer XXXXX) to the proxy and already have an existing Basic Auth (Authorization: Basic XXXXX) to the target server.

Implementing OAuth alone returned me Unauthorized error (in Postman). How do I parse two Authorizations in Apigee and run on Postman to view?