This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Mutliple Tokens in Authorization Header

Posted on 06-11-2020 12:25 AM
sandramarianege
New Member
Reply posted on --/--/---- --:-- AM

Hi,

I would like to read two different access tokens via Authorization header both of token type bearer. Is it possible to send a value like this??

I am looking for a postman request to an api where I can send header looks something like: Authorization Bearer Token1, Bearer Token2.

I am using apigee free version (https://apigee.com/edge).

Solved Solved
0 3 379
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
deboraelkin
Staff
Reply posted on --/--/---- --:-- AM

If both tokens come in the one header, you could also use an ExtractVariable policy to extract Token1 and Token2 as follows:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables async="false" continueOnError="false" enabled="true" name="EV-ExtractAuthHdrs">
    <DisplayName>EV-ExtractAuthHdrs</DisplayName>
    <Properties/>
    <Header name="Authorization">
        <Pattern ignoreCase="false">Bearer {token1}, Bearer {token2}</Pattern>
    </Header>
</ExtractVariables>

If they come in 2 different auth headers (though I couldn't get my client to send such a request) the policy would be:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables async="false" continueOnError="false" enabled="true" name="EV-ExtractAuthHdrs">
    <DisplayName>EV-ExtractAuthHdrs</DisplayName>
    <Properties/>
    <Header name="Authorization.1">
        <Pattern ignoreCase="false">Bearer {token1}</Pattern>
    </Header>
    <Header name="Authorization.2">
        <Pattern ignoreCase="false">Bearer {token2}</Pattern>
    </Header>
</ExtractVariables>

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
sandramarianege
New Member
Reply posted on --/--/---- --:-- AM

Hi

I have realized it is possible to send authorization headers as above. At the apigee end I used javascript to split the tokens and run verify JWT policy as required

Jump to Solution

Posted on --/--/---- --:-- AM
deboraelkin
Staff
Reply posted on --/--/---- --:-- AM

If both tokens come in the one header, you could also use an ExtractVariable policy to extract Token1 and Token2 as follows:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables async="false" continueOnError="false" enabled="true" name="EV-ExtractAuthHdrs">
    <DisplayName>EV-ExtractAuthHdrs</DisplayName>
    <Properties/>
    <Header name="Authorization">
        <Pattern ignoreCase="false">Bearer {token1}, Bearer {token2}</Pattern>
    </Header>
</ExtractVariables>

If they come in 2 different auth headers (though I couldn't get my client to send such a request) the policy would be:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables async="false" continueOnError="false" enabled="true" name="EV-ExtractAuthHdrs">
    <DisplayName>EV-ExtractAuthHdrs</DisplayName>
    <Properties/>
    <Header name="Authorization.1">
        <Pattern ignoreCase="false">Bearer {token1}</Pattern>
    </Header>
    <Header name="Authorization.2">
        <Pattern ignoreCase="false">Bearer {token2}</Pattern>
    </Header>
</ExtractVariables>
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sandramarianege
New Member
In response to deboraelkin
Reply posted on --/--/---- --:-- AM

Thank you. This seems to be a much better option.

Jump to Solution