Send Docs Feedback

Basic Authentication policy

What

Enables you to use lightweight Basic Authentication for last-mile security. The policy takes a username and password, Base64 encodes them, and writes the resulting value to a variable. The resulting value is in the form Basic Base64EncodedString. You typically write this value to an HTTP header, such as the Authorization header.

The policy also lets you decode credentials stored in a Base64 encoded string into a username and password.

This policy does not enforce Basic Authentication on a request to an API proxy. Instead, you use it to Base64 encode/decode credentials, typically when connecting to a backend server or using a service callout policy, such as the Service Callout policy, that requires Basic Authentication.

Where

This policy can be attached in the following locations.

ProxyEndpoint TargetEndpoint
    PreFlow Flow PostFlow PreFlow Flow PostFlow    
Request    
    Response
    PostFlow Flow PreFlow PostFlow Flow PreFlow    

Samples

<BasicAuthentication name="ApplyBasicAuthHeader">
   <DisplayName>ApplyBasicAuthHeader</DisplayName>
   <Operation>Encode</Operation>
   <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
   <User ref="BasicAuth.credentials.username" />
   <Password ref="BasicAuth.credentials.password" />
   <AssignTo createNew="false">request.header.Authorization</AssignTo>
</BasicAuthentication>

In the sample policy configuration above, the username and password to be encoded are derived from the variables specified by the ref attributes on the <User> and <Password> elements. The variables must be set before this policy executes. Typically, the variables are populated by values that are read from a key/value map. See Key Value Map Operations policy.

This configuration results in the HTTP header named Authorization, as specified by the <AssignTo> element, being added to the outbound request message sent to the backend server:

Authorization: Basic TXlVc2VybmFtZTpNeVBhc3N3b3Jk

The <User> and <Password> values are concatenated with a colon prior to Base64 encoding.

Consider that you have a key/value map with the following entry:

{
  "entry" : [ {
    "name" : "username",
    "value" : "MyUsername
  }, {
    "name" : "password",
    "value" : "MyPassword
  } ],
  "name" : "BasicAuthCredentials"
}

Attach the following KeyValueMapOperations policies before the BasicAuthentication policy to be able to extract the values for your <User> and <Password> elements from the key/value store and populate them to the variables BasicAuth.credentials.username and BasicAuth.credentials.password.

<KeyValueMapOperations name="getUsername" mapIdentifier="BasicAuthCredentials">
<Scope>apiproxy</Scope>
   <Get assignTo="credentials.username" index='1'>
      <Key>
         <Parameter ref="BasicAuth.credentials.username"/> 
      </Key>
   </Get>
</KeyValueMapOperations>
and
<KeyValueMapOperations name="getPassword" mapIdentifier="BasicAuthCredentials">
   <Scope>apiproxy</Scope>
   <Get assignTo="credentials.password" index='1'>
      <Key>
         <Parameter ref="BasicAuth.credentials.password"/> 
      </Key>
   </Get>
</KeyValueMapOperations>
<BasicAuthentication name="DecodeBaseAuthHeaders">
   <DisplayName>Decode Basic Authentication Header</DisplayName>
   <Operation>Decode</Operation>
   <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
   <User ref="request.header.username" />
   <Password ref="request.header.password" />
   <Source>request.header.Authorization</Source>
</BasicAuthentication>

In this policy sample, the policy decodes the username and password from the Authorization HTTP header, as specified by the <Source> element. The Base64 encoded string must be in the form Basic Base64EncodedString.

The policy writes the decoded username to the request.header.username variable and the decoded password to the request.header.password variable.


About the Basic Authentication policy

The policy has two modes of operations:

  • Encode:  Base64 encodes a username and password stored in variables
  • Decode:  Decodes the username and password from a Base64 encoded string

The username and password are commonly stored the key/value store and then read from the key/value store at runtime. For details on using key/value store, see Key Value Map Operations policy.

Basic authentication does not provide confidentiality. Always send credentials over a TLS-enabled (HTTPS) connection to your backend service.

Element reference

The element reference describes the elements and attributes of the BasicAuthentication policy.

<BasicAuthentication async="false" continueOnError="false" enabled="true" name="Basic-Authentication-1">
   <DisplayName>Basic Authentication 1</DisplayName>
   <Operation>Encode</Operation>
   <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
   <User ref="request.queryparam.username" />
   <Password ref="request.queryparam.password" />
   <AssignTo createNew="false">request.header.Authorization</AssignTo>
   <Source>request.header.Authorization</Source> 
</BasicAuthentication>

<BasicAuthentication> attributes

<BasicAuthentication async="false" continueOnError="false" enabled="true" name="Basic-Authentication-1">

The following attributes are common to all policy parent elements.

Attribute Description Default Presence
name

The internal name of the policy. Characters you can use in the name are restricted to: A-Z0-9._\-$ %. However, the Edge management UI enforces additional restrictions, such as automatically removing characters that are not alphanumeric.

Optionally, use the <DisplayName> element to label the policy in the management UI proxy editor with a different, natural-language name.

N/A Required
continueOnError

Set to false to return an error when a policy fails. This is expected behavior for most policies.

Set to true to have flow execution continue even after a policy fails.

false Optional
enabled

Set to true to enforce the policy.

Set to false to "turn off" the policy. The policy will not be enforced even if it remains attached to a flow.

true Optional
async

Note: This attribute does not make the policy execute asynchronously.

When set to true, policy execution is offloaded to a different thread, leaving the main thread free to handle additional requests. When the offline processing is complete, the main thread comes back and finishes handling the message flow. In some cases, setting async to true improves API proxy performance. However, overusing async can hurt performance with too much thread switching.

To use asynchronous behavior in API proxies, see JavaScript callouts.

false Optional

<DisplayName> element

Use in addition to the name attribute to label the policy in the management UI proxy editor with a different, natural-language name.

<DisplayName>Policy Display Name</DisplayName>
Default:

N/A

If you omit this element, the the value of the policy's name attribute is used.

Presence: Optional
Type: String

 

<Operation> element

Determines whether the policy Base64 encodes or decodes credentials.

<Operation>Encode</Operation>
Default: N/A
Presence: Required
Type:

String.

Valid values include:

  • Encode
  • Decode

<IgnoreUnresolvedVariables> element

When set to true, the policy will not throw an error if a variable cannot be resolved. When used in the context of a BasicAuthentication policy, this setting is usually set to false because it is generally beneficial to throw an error if a username or password cannot be found in the variables specified.

<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
Default: N/A
Presence: Required
Type:

Boolean

<User> element

  • For encoding, use the <User> element to specify the variable containing the username. Username and password values are concatenated with a colon prior to Base64 encoding. 
  • For decoding, specify the variable where the decoded username is written.
<User ref="request.queryparam.username" /> 
Default: N/A
Presence: Required
Type:

N/A

Attributes

Attribute Description Default Presence
ref

The variable from which the policy dynamically reads the username (encode) or writes the username (decode).

N/A Required

<Password> element

  • For encoding, use the <Password> element to specify the variable containing the password. 
  • For decoding, specify the variable where the decoded password is written.
<Password ref="request.queryparam.password" />
Default: N/A
Presence: Required
Type:

N/A

Attributes

Attribute Description Default Presence
ref

The variable from which the policy dynamically reads the password (encode) or writes the password (decode).

N/A Required

<AssignTo> element

For encoding, this is the variable where the encoded value, in the form Basic Base64EncodedString is written. For example, request.header.Authorization, corresponding to the Authorization header.

<AssignTo createNew="false">request.header.Authorization</AssignTo>
Default: N/A
Presence: Required
Type:

N/A

Attributes

Attribute Description Default Presence
createNew

For the BasicAuthentication policy, you will usually set this attribute to false.

In the context of BasicAuthentication, you do not want to require that the policy generate a new message. Instead, you want the destination variable to be added to the existing request message.

False Optional

<Source> element

For decoding, the variable containing the Base64 encoded string, in the form Basic Base64EncodedString. For example, specify request.header.Authorization, corresponding to the Authorization header.

<Source>request.header.Authorization</Source>
Default: N/A
Presence: Required
Type:

N/A

Flow variables

The following flow variable is set when the policy fails:

  • BasicAuthentication.{policy_name}.failed (with a value of true)

If you see variables called BasicAuthentication.{policy_name}.fault.cause and BasicAuthentication.{policy_name}.fault.name, they are not currently being used by Edge.

Error codes

The default format for error codes returned by policies is:

{
  "code" : " {ErrorCode} ",
  "message" : " {Error message} ",
  "contexts" : [ ]
}

This policy defines the following error codes. For guidance on handling errors, see Fault handling

Error Code Message / Description

InvalidBasicAuthenticationSource

Source variable : request.header.Authorization for basic authentication decode policy is not valid

Occurs on a decode when the variable containing the Base64 encoded string does not contain a valid value.

UnresolvedVariable

Unresolved variable : request.queryparam.username

Occurs when IgnoreUnresolvedVariables is false for the policy and the source variables for the decode or encode are not present. 

Schemas

See our GitHub repository samples for the most recent schemas.

Related topics

Key Value Map Operations policy

 

Help or comments?