cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

How to dynamically set the basic authentication for the target in a SAP APIM policy?

Frank_Merkle
Discoverer

‎2025 Apr 03 1:26 PM - edited ‎2025 Apr 03 1:34 PM

0 Kudos
166

Hi all,

in this Question Solved: Dynamically set the basic authentication for the t... - SAP Community was the answer, that it is possible to set the BasicAuth-Credentials dynamically via lookup in a KeyValueMap. So I tried it, but I'm not sure if there is only a syntax error or if it's even possible in that way? 

I tried the approach to read a custom attribute of the product and use it in a KeyValueMapOperations-Policy to get the Username and Password Values.

It was no problem to read the custom attributes and save it to a variable. They were visible in Debugging. But I couldn't use them in the following policy:

First try was to set the mapIdentifier dynamically, but I'm not the syntax. Tried it also without { } and to address the variable directly "verifyapikey.CheckAPIKey.apiproduct.CredentialAlias".

No success 😞 the Authorization Header was always created with empty Username and Password.
Basic Og== which means "Basic :"

<KeyValueMapOperations mapIdentifier="{dynamicCredentialAlias}" async="true" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
	<Get assignTo="private.auth.Username">
	    <Key>
	        <Parameter>Username</Parameter>
	    </Key>
	</Get>
	<Get assignTo="private.auth.Password">
	    <Key>
	        <Parameter>Password</Parameter>
	    </Key>
	</Get>	
	<Scope>environment</Scope>
</KeyValueMapOperations>

 The second approach was to set the <Parameter>-Tags dynamically, but it leads to the same result as the first approach.

<KeyValueMapOperations mapIdentifier="BasicAuth" async="true" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
	<Get assignTo="Username">
	    <Key>
	        <Parameter>{dynamicUsername}</Parameter>
	    </Key>
	</Get>
	<Get assignTo="Password">
	    <Key>
	        <Parameter>{dynamicPassword}</Parameter>
	    </Key>
	</Get>
	<Scope>environment</Scope>
</KeyValueMapOperations>
<KeyValueMapOperations mapIdentifier="BasicAuth" async="true" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
	<Get assignTo="private.auth.Username">
	    <Key>
	        <Parameter ref="verifyapikey.CheckAPIKey.apiproduct.Username"/>
	    </Key>
	</Get>
	<Get assignTo="private.auth.Password">
	    <Key>
	        <Parameter ref="verifyapikey.CheckAPIKey.apiproduct.Password"/>
	    </Key>
	</Get>
	<Scope>environment</Scope>
</KeyValueMapOperations>

 

Does anyone know how to achieve this dynamic lookup with an encrypted KeyValueMap? I don't want to save the credentials in a plain text custom attribute 😄

Thanks in advance,

Frank

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
LorenaHanser
Associate
Associate
‎2025 Apr 07 9:54 AM
0 Kudos

Hi Frank!

 

Assuming that the KVM looks like this:

nameOfMyKVM

dynamicUsername*****
dynamicPassword*****

 

You can add a Key Value Map Operations Policy to your API Proxy to access the values:

<KeyValueMapOperations mapIdentifier="nameOfMyKVM" async="true" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
    <Get assignTo="private.usernameFromKVM" index="1">
        <Key>
            <Parameter>dyanmicUsername</Parameter>
        </Key>
    </Get>
    <Get assignTo="private.passwordFromKVM" index="1">
        <Key>
            <Parameter>dynamicPassword</Parameter>
        </Key>
    </Get>
    <Scope>environment</Scope>
</KeyValueMapOperations>

(Note that you won't see variables starting with the prefix "private." in the debug mode of the API Proxy.)

 

Now you can add a Basic Authentication Policy to assign the variables "private.usernameFromKVM" and "private.passwordFromKVM" to the Authorization header of your request.

<BasicAuthentication async='true' continueOnError='false' enabled='true' xmlns='http://www.sap.com/apimgmt'>
	<Operation>Encode</Operation>
	<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
	<User ref='private.usernameFromKVM'></User>
	<Password ref='private.passwordFromKVM'></Password>
 	<AssignTo>request.header.Authorization</AssignTo>
</BasicAuthentication>

 

Show replies
Show replies
Frank_Merkle
Discoverer
‎2025 Apr 09 9:04 AM
0 Kudos
Hello Lorena, thanks for your answer. Yes, this is the approach with setting fixed values in the policy. But I try to set some values dynamically on runtime with variables.
Frank_Merkle
Discoverer
‎2025 Apr 09 9:09 AM
0 Kudos
Either the <Parameter> for Username/Password or the mapIdentifier
Ask a Question