Reputation: 71

API Management Basic Authentication

I have an Azure API Management, added a logic app as back end API. Now I want to enable basic authentication for the API Management so that when client will call the logic app url which is protected by API Management need to provide username and password. I am familiar with access restriction policy of API Management , now my question is where and how to set basic authentication credentials in the APIM?

Upvotes: 7

Answers (6)

Andrei

Reputation: 1066

A bit simpler solution is to use check-header policy: https://learn.microsoft.com/en-us/azure/api-management/check-header-policy

<set-variable name="credentials" value="username:password" />
<check-header name="Authorization" failed-check-httpcode="401" failed-check-error-message="Not authorized" ignore-case="false">
    <value>@("Basic " + System.Convert.ToBase64String(Encoding.UTF8.GetBytes((string)context.Variables["credentials"])))</value>
</check-header>

Upvotes: 2

NASASIRA

Reputation: 1

When it comes to API management, I would recommend using an API Gateway like APACHE APISIX, this article explains how to use Apache APISIX to implement Centralized Authentication Management. https://medium.com/@ApacheAPISIX/using-apache-apisix-and-authing-to-implement-centralized-authentication-management-6a5f3af1a674

Hope it helps someone.

Upvotes: -1

Nilesh Sawant

Reputation: 1712

You can use below code snippet https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Perform%20basic%20authentication.policy.xml

<policies>
<inbound>
    <base />
    <choose>
        <when condition="@(context.Request.Headers.GetValueOrDefault("Authorization")==null || context.Request.Headers.GetValueOrDefault("Authorization").Length<1 || context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().UserId!="{{UserId}}" || context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().Password!="{{Password}}")">
            <return-response>
                <set-status code="401" reason="Not authorized" />
            </return-response>
        </when>
    </choose>
    <set-header name="Authorization" exists-action="delete" />
</inbound>
<backend>
    <base />
</backend>
<outbound>
    <base />
</outbound>
<on-error>
    <base />
</on-error>

And incase you want to store password to keyvault you can use below policy instead of above

<inbound>
    <base />
    <send-request ignore-error="false" timeout="20" response-variable-name="passwordResponse" mode="new">
        <set-url>https://mykvname.vault.azure.net/secrets/MySecretValue/?api-version=7.0</set-url>
        <set-method>GET</set-method>
        <authentication-managed-identity resource="https://vault.azure.net" />
    </send-request>
    <rewrite-uri template="/" copy-unmatched-params="true" />
    <set-backend-service base-url="https://testservice/" />
    <authentication-basic username="myusername" password="@{ var secret = ((IResponse)context.Variables["passwordResponse"]).Body.As<JObject>(); return secret["value"].ToString(); }" />
</inbound>

Hope this helps

Upvotes: 6

Dmitry Andrievsky

Reputation: 1873

Here is a code snippet to set up basic auth wuth username="someUser" and password="ThePassw0rd"

<policies>
    <inbound>
        <set-variable name="isAuthOk" 
value="@(context.Request.Headers.ContainsKey("Authorization") 
            && context.Request.Headers["Authorization"].Contains(
            "Basic " + Convert.ToBase64String(
                  Encoding.UTF8.GetBytes("someUser:ThePassw0rd")
                )
              )
              )" />
        <base />
        <choose>
            <when condition="@(context.Variables.GetValueOrDefault<bool>("isAuthOk"))">
            </when>
            <otherwise>
                <return-response>
                    <set-status code="401" reason="Unauthorized" />
                    <set-header name="WWW-Authenticate" exists-action="override">
                        <value>Basic realm="someRealm"</value>
                    </set-header>
                    <set-body>Wrong username or password</set-body>
                </return-response>
            </otherwise>
        </choose>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

Upvotes: 12

Disary Nath Sarkar

Reputation: 71

I am able to solve this , I have added a access restriction policy for basic authentication and put a credentials in the policy.

Sample Policy

Basic B64Credentials

Upvotes: 0

William

Reputation: 1

If I understood your question, you can set the policy in: Apis -> All Apis or specifc -> Design -> Inbound processing -> Code View. Inside policies/inbound you can insert:

authentication-basic username="username" password="password"

See more in: https://learn.microsoft.com/en-us/azure/api-management/api-management-authentication-policies#Basic

Upvotes: -1

API Management Basic Authentication

Answers (6)

Related Questions