cancel
Showing results for 
Search instead for 
Did you mean: 

APIKey validation Issue and Basic Authentication

yeshuaq
Explorer
0 Kudos
1,721

Hi Team,

we had created API proxy and generated application.

we want to test the API with 'validate API Key' policy. So I had added policy to my API proxy.

while try to test from developer portal, I had given APIKey as header and Authorization as 'None'. So when I click on send it shows status code as 200 and response time. but it is not trigger the API.

but when I add basic authentication, I am able to trigger proxy endpoint and get response.

please let me know how to test/trigger with APIKey alone at header. So that if we provide the APIKey to source application, they can able to call my target system through API proxy.

Regarrds,QY

Accepted Solutions (0)

Answers (1)

Answers (1)

TomXing
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi QY,

You can manually add authorization headers in Base64 format in your policy.

Though I'm wondering, when you don't specify authorization, how you can get HTTP 200 response while target is not triggered.
You can debug the API anyways.

Best regards,
Tom

yeshuaq
Explorer
0 Kudos

Hi Tom,

Thanks for response.

APIkey was generated at application and in API provider I had given catalog provider and basic authentication.

while testing

1. API key has been provided in header without basic Authentication - result is status 200 ok but no response.

2. APIKey+basic authentication (as Headers parameters) - works fine and getting the response.

so I would like to check the possible option to get response by providing APIKey alone (with Authentication as None). can we add basic authorization policy after the verify APIKey policy? and hard code authorization values in policy itself instead of passing at header level?

Could you please ping me code to add authorization headers in Base64 format in policy (basic Authentication?)

Best Regards,QY

Elijah_Martinez
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi QY,

Sorry for the late reply. The Basic Authentication policy can be used to pass hard coded backend authentication. It is usually not a very wise decision from a security standpoint, but is useful in cases of testing to make life a little easier.

Basic Auth typically encodes credentials which are passed to it via variables in some way. The simplest way you can do that is with 2 policies strung together

1) AssignMessage - you define username and password variables that contain the values you want to encode

2) Basic Authentication - you take the variables and encode them to be passed to your BE

You can use the following code to set the username and password to variables

<!-- This policy can be used to create or modify the standard HTTP request and response messages -->
<AssignMessage async="false" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>
 
<AssignVariable>
    <Name>sapapim.user</Name>
    <Value>** Enter Technical Username **</Value>
  </AssignVariable>
  <AssignVariable>
    <Name>sapapim.pass</Name>
    <Value>** Enter Technical User Password **</Value>
  </AssignVariable>
	<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
	<AssignTo createNew="false" type="request">request</AssignTo>
</AssignMessage>

You can use the following code to pass Basic Auth credentials within an API Proxy from previous variables

<BasicAuthentication async='true' continueOnError='false' enabled='true' xmlns='http://www.sap.com/apimgmt'>
 <!-- Operation can be Encode or Decode -->
<Operation>Encode</Operation>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<User ref='sapapim.user'></User>
<Password ref='sapapim.pass'></Password>
 <Source>request.header.Authorization</Source>
<AssignTo createNew="false">request.header.Authorization</AssignTo>
</BasicAuthentication>

You can read more about the Basic Authentication policy here: https://help.sap.com/viewer/66d066d903c2473f81ec33acfe2ccdb4/Cloud/en-US/693c0d1720644d57918ed77acc6...

Regards,

Elijah