Can an API proxy endpoint be Authenticated by SSO?

Google Cloud Apigee
1

Can an API proxy endpoint be Authenticated by SSO?

We are looking for a microservice architecture where the API calls would be done by UI Scripts. So when API call is made, can Single Sign On be implemented to identify the user logged into the Windows system?

2

yes. Maybe. (What’s a “UI Script” ? )

The script needs to be able to send a token or some other credential that indicates the user’s identity.

Let’s take one simple example. The “curl” program is widely known and used. Curl includes support for sending along a basic authentication header, with its requests. The Basic Auth header is defined in the HTTP standards, and it describes how a program (like a browser) can send user authentication information in the request. It says "concatenate the username and password, with a separating colon, then base64-encode the result of that, and place the resulting blob in the Authorization header, preceded by the keyword “Basic” and a space. Kinda like this:

Authorization: Basic BASE64-ENCODE(username + ":" + password)

Now, normally if you just invoke curl from the command line, and you want curl to invoke an HTTP endpoint that demands HTTP Basic Authentication, you need to explicitly specify the username and password in the options you pass to curl. Like this:

curl -u username:password [https://endpoint-goes-here/foo/bar](https://endpoint-goes-here/foo/bar)

In this case curl will automatically base64-encode the thing and place it into the proper header.

There is another option to curl, related to this, that tells curl “go get the username and password from a secret stash file”. This is the -n option, and when you use it, curl will lookup the hostname from the URL, in that file, and retrieve the username and password and then create the appropriate base64 blob and send it along as normal. Use it like this:

curl -n [https://hostname-goes-here/foo/bar](https://hostname-goes-here/foo/bar)

Now, in order to use this option for curl , you need to have previously set up the stash file: .netrc on Linux, and _netrc on Windows.

Why am I telling you all of this?

Well in the simplest case you could write a script that invokes curl, with the -n option, and curl would do the right thing as above.

BUT, you said “Windows”. So there are other options. Powershell, for example, can read encrypted passwords from stash files. You could write a powershell module to do the same thing curl does.

Or, there’s a way for Powershell to run a command with delegated identity.

Or, here’s a way for Powershell to request a token from an STS. You could then send that SAML token along with API requests.

Or… lots of other ways.

None of this has anything to do with Apigee Edge, of course. Up until now I’m just describing ways for the client to send credentials to the API endpoint. That seems to be the tricky part.

I say that because, when Apigee Edge receives an inbound request, it can authenticate the credentials or token passed to it, in myriad ways. So the hard problem is “how to get the creds and send them along from the client.”