cancel
Showing results for 
Search instead for 
Did you mean: 

Basic authentication before hitting API proxy

SandeshK
Participant

Hello All,

I have a target endpoint webservice which is based on basic authentication. But I would like to use this basic authentication only while API Management hits the target endpoint. I know this would be possible by using the policy 'Basic Authentication'. Now my question is, can we also setup additional basic authentication from calling application -> API Management?

Meaning - Imagine there is basic authentication with credentials - username1/password1 on a SOAP webservice which is my target end point.

Also I would maintain new credentials: username2/password2 in key value map of APIM. Calling application should pass these credentials to APIM and APIM should verify if these credentials are the right by comparing in key value map. If they are not the right ones, the API request should be denied. If successful, APIM will send the request to target by passing username1/password1 to SOAP webservice(Target endpoint)

Thanks,
Sandesh

Accepted Solutions (1)

Accepted Solutions (1)

saisreenivas
Participant
0 Kudos

Hi sandesh.kurumella.marketing,

It's a good idea to use your own username and password but it's not the ideal way.

Based on your requirement, you can have a KVM policy and retrieve your custom username and password first. Then, use a raise fault policy and put a condition for this execution: if the username and password sent by user is not the same as the credentials retrieved from KVM policy, then this policy should get executed and usedlr should get an error.

If not, you can add one more KVM policy and Basic authentication policy after the earlier validation and send the actual username and password to the backend.

FYI, instead of writing your own username and password, you can use the client key and client secret as username and password for input validation. These are generated when the API is added into a Product and a application is generated from the same. This way, it is more secure as the system handles the authentication and then you can add policies to retrieve backend username and password and send it to the target endpoint using basic authentication policy.

Br/Sai Sreenivas.

SandeshK
Participant
0 Kudos

Very clear. Thanks Sreenivas

Answers (0)