Security Policy - Basic Authentication

·

3 min read

Security Policy - Basic Authentication

Encode:

The client sends and username and password in the header. But the target end server requires authentication Base64 format in the Authorization header
For that, we are using a basic authentication policy in the API proxy

This policy takes username and password as an input. It converts input into Base64 format.
The username and password values are concatenated with the colon before Base64 encoding,
The resulting string is assigned to the Authorization header in the below format
request.header.Authorization = Basic <String converted in Base64 format>

create a reverse proxy: with a target endpoint: http://httpbin.org/get
let’s assume this target needs authorization username: ABCD and password: xyz@123 we will pass in the parameters
let’s assume the backend(target) is expecting an authorization header.
attach basic authentication policy. proxy endpoint --> preflow ->> request

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<BasicAuthentication continueOnError="false" enabled="true" name="Basic-Authentication-1">
    <DisplayName>Basic Authentication-1</DisplayName>
    <Operation>Encode</Operation>
    <!-- operation we are dng is encode-->
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <User ref="request.queryparam.username"/>
    <Password ref="request.queryparam.password"/>
    <!-- we are taking username and password from quesry param-->

    <!-- we are assigning the base64 encoded username and password into autherization header-->
    <AssignTo createNew="false">request.header.Authorization</AssignTo>

    <Source>request.header.Authorization</Source>
</BasicAuthentication>

let’s understand how Base64 encodes the username and password. The first policy will take username and password in the colon-separated form
ex: ABCD:xyz@123
encoded code is -- QUJDRDp4eXpAMTIz

Save and deploy the proxy

as we can see above there is an authorization header with a basic encoded version of colon separate username and password.

Decode:

In this example, application1 sends the request along with the authorization header(in base 64 format)
in API proxy, the basic authentication policy reads the authorization header decodes it gets the username and password, and saves that in query parameters. the that query parameters are used to construct the response message using assign msg policy.
after that this end to the target system.
target system responds with the constructed response.

Policy code:
this expects the input from the authorization header <Source>request.header.Autherization</Source>
It decodes the value of this and assigns the value of the user to the username query parameter and the value of the password to the password query parameter.
These decoded values can be used for other purposes.

Create a reverse proxy, target endpoint: http://httpbin.org/get
passthrough --> eval --> deploy

edit -> develop
add basic authentication policy proxy endpoint --> preflow --> request

Policy code looks like below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<BasicAuthentication continueOnError="false" enabled="true" name="Basic-Authentication-1">
    <DisplayName>Basic Authentication-1</DisplayName>
    <Operation>Decode</Operation>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <User ref="request.queryparam.username"/>
    <Password ref="request.queryparam.password"/>

    <!-- we no need this part
    <AssignTo createNew="false">request.header.Authorization</AssignTo>
    -->

    <!-- source of input for decode operation coming from header-->
    <Source>request.header.Authorization</Source>
</BasicAuthentication>

Save and deploy. see the output in the header we need to send the encoded form of username and password.
Before converting colon-separated username and password to encoded format
ex: ABCD:xyz@123
encoded code is -- QUJDRDp4eXpAMTIz

We sent the Authorization code (encoded code of username and password) and we got the username and password in response