How can we configure client-id in basic authentication policy and how we can verify that in verify-api key policy?

rajeshnimmadan · November 8, 2016, 6:08pm

anilsr · November 8, 2016, 6:31pm

@Rajesh Nimmada , Can you please update the question what exactly you are trying to do ?what you are expected to see ? What do you see ?

anonymous · November 10, 2016, 8:37am

Basic authentication policy is simply a policy that can base64 encode or decode a string into its constituent variables. It actually doesn’t verify anything like client_id or secret or anything like that.

If you want to verify the client_id, you need to use the VerifyApiKey policy, a sample of that would look like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyAPIKey async="false" continueOnError="false" enabled="true" name="VerifyAPIKey">
    <DisplayName>VerifyAPIKey</DisplayName>
    <Properties/>
    <APIKey ref="client_id"/>
</VerifyAPIKey>

If your use-case is something like this:

“The client would pass the client_id and secret as a Base64 encoded Basic Auth header, and you would like to perform a VerifyAPIKey operation on that after extracting the key from the basic auth header.”

In the above case, you would have a BasicAuthentication policy with the encode operation like below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<BasicAuthentication async="false" continueOnError="false" enabled="false" name="BasicAuthentication">
    <DisplayName>BasicAuthentication</DisplayName>
    <Operation>Decode</Operation>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <User ref="client_id"/>
    <Password ref="client_secret"/>
    <Source>request.header.Authorization</Source>
</BasicAuthentication>

Once this policy executes, you would have the client_id in the “client_id” variable and secret in the “client_secret” variable. After that you can invoke the VerifyAPIKey policy as show above, which refers to the client_id variable. I hope this helps.

If this answers your query please accept my answer so that the others can benefit from it.

sjm2000 · May 27, 2017, 1:38pm

sorry for jumping in

Above solution mentioned by @arghya das have one big advantage

no separate user database to be maintained

However

client secret is supposed to “generate dynamic” token.

Is it okay to perform basic authentication above way?

Is it a bad practice for all of us who are apigee customers / users ?

Can someone shed light on it

Thanks & Regards

Sujith Mathew

anonymous · May 28, 2017, 5:21am

This BasicAuthentication policy does not enforce Basic Authentication on a request to an API proxy. Instead, you use it to Base64 encode/decode credentials.

More info here http://docs.apigee.com/api-services/reference/basic-authentication-policy

Topic		Replies	Views
Testing an API using both client id and secret Apigee api-runtime	2	21	October 21, 2020
Built-in basic auth option for proxy, or a work-around Apigee api-runtime	3	59	June 29, 2018
Verify both Client id and Client Secret for an API while passing Clientid and Client Secret as Authorisation header Apigee api-runtime	3	28	June 30, 2016

How can we configure client-id in basic authentication policy and how we can verify that in verify-api key policy?

AI Suggested topics