Where to put key-value-map and basic Auth Header policies

Not applicable

Hello,

I'm trying to use apigee to encode username/password request params via basic auth, and have the encoded params sent to my application backend for the appropriate request.

I'm confused about where I should put the relevant policies. From the basicAuth documentation, it seems like I need to have 2 key-value-map policies (one to get the username, and one to get the password) then feed those both the the basicAuthentication policy, which will encode them and write the encoded value to the authorization header which gets passed along to my application for decoding.

I currently have these policies linked to the pre-flow of my apiProxy endpoint. They are applied on the request that my users send. When I pass the parameters through, i get a response back that says "Invalid username/password".

Basically I just want to make sure that this is the correct place to put these policies, and that it is correct to attach them to the request.

Also, is it correct to pass username/password arguments to my request in the following way:

http://{org-name}-test.apigee.net/v1/{resource}/?username=fred&password=pass123

0 12 4,557
12 REPLIES 12

sgilson
Participant V

If, as you say in your original post, you are passing them as query params, you can access them as:

request.queryparam.username

request.queryparam.password

The BaiscAuth policy does not require you to use the key value map policies - that is just an example if you happen to store the username/password in a key value map.

The second example on that page shows how to reference variables for the username and password. While that is specifically a decode example, you can use the same form for an encode.

Stephen

@sgilson thanks for the quick followup.

In the second example, the ref for user is "request.header.username" and for password it is "request.header.password". Since I am just passing those values as url params, do i need the "header" portion? is just "request.username" enough?

@b , It's the other way, you need to send credentials via header using Base 64 encode. Extracted username and password will be available in the further request as header variables.

If you send the credentials via url, they will be treated as query params.

As per documentation,

In this policy sample, the policy decodes the username and password from the Authorization HTTP header, as specified by the <Source> element. The Base64 encoded string must be in the formBasicBase64EncodedString.

The policy writes the decoded username to the request.header.username variable and the decoded password to the request.header.password variable.

Hi,

I am also in the similar situation.

Can you send the link, for the so said examples you are pointing out in this post ?

Thanks in Advance.

Rgds,

Nagaraj.

Hi @Nagaraj Desingurajan

- this question has been answered. If you have a new, distinct question, please ask your new question by posting it as a new question. Click the "Ask a Question" button on the front page of community.apigee.com

1588-click-here.png

Submitting a new question as a new question is much better than asking a new question on a thread that was asked and answered 6 months ago.

Thanks and good luck!

Dear @b ,

Welcome to Apigee Community 🙂

It is indeed not possible to pass the username and password via query parameters in standard HTTP auth. Instead, you use a special URL format, like this: http://username:password@example.com/ -- this sends the credentials in the standard HTTP "Authorization" header.

If you would like to decode the credentials in your proxy then you can use Basic Authentication Policy Inbound decoding method to decode username and password from base64 encoding. Decoded values will be available on request.header.username , request.header.password variables which can be sent to your backend server for further processing.

If you would like to send credentials in the header using base 64 encode technique instead of url then see approach below.

Send a base64 encode string using Authorization header , see key value pairs below.

Header Key : Authorization

Header Value : Basic <Base64EncodedString>

You can encode username password using online tools like base64encode. Encode username and password separated by colon ':'

For example , if username is 'anilsagar' and password is 'password' , then base64 encode string of 'anilsagar:password' is 'YW5pbHNhZ2FyOnBhc3N3b3Jk'

See example header below for above credentials...

Header Key : Authorization

Header Value : Basic YW5pbHNhZ2FyOnBhc3N3b3Jk

Cheers,

Anil Sagar

@Anil Sagar Yes I agree, I don't think I want to be sending via queryparams.

Is the correct way to do something like the following?

fred:pass123 http://{org-name}-test.apigee.net/v1/{resource}/

Send the information via Request Headers... Authorization = Basic <base64encodedstring> see above example for more information...

Great! I think the special format url is what I am looking for.

@Anil Sagar, I am now having trouble decoding them on my proxy server...My decode header looks something like this

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<BasicAuthentication name="DecodeBaseAuthHeaders">
   <DisplayName>Decode Basic Authentication Header</DisplayName>
   <Operation>Decode</Operation>
   <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
   <User ref="request.header.username" />
   <Password ref="request.header.password" />
   <Source>request.header.Authorization</Source>
</BasicAuthentication>

I am running a trace on my requests, which I am sending as follows: http://fred:pass123@{org-name}.apigee.net/v1/{resource}/. I keep getting a 403 sent back.

I have not implemented basicAuth username/password parsing yet in my app, but the response i'm getting back does not look like something being sent from my app '{"detail" : "Invalid username/password."}'

I'm thinking I need to have another encode authorization policy attached? This decode policy is just checking that the user did indeed send an authorization header, and nothing more. Do I need to re-encode the header after I look for it on the proxy server?

it doesn't look like fred:pass123 is being encoded in an authorization header when I pass it that way?

Yes @b, the decode policy just decodes the incoming authorization header and assigns it to the variables, in your case, 'request.header.username' and 'request.header.password' -- i would suggest to use different variable name like just username or 'BasicAuth.Credentials.username' ... [request is a predefined request object, so it will try to create a header named username and password].

To set Authorization header, you will have to use BasicAuth polciy with encode option

<BasicAuthentication name="ApplyBasicAuthHeader">
   <DisplayName>ApplyBasicAuthHeader</DisplayName>
   <Operation>Encode</Operation>
   <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
   <User ref="BasicAuth.credentials.username" />
   <Password ref="BasicAuth.credentials.password" />
   <AssignTo createNew="false">request.header.Authorization</AssignTo>
</BasicAuthentication>

attach this policy at the target request flow, this will send the authorization header to your backend