This page applies to Apigee and Apigee hybrid.
View Apigee Edge documentation.
What
Enables you to use lightweight Basic Authentication for
last-mile security. The policy takes a username and password, Base64 encodes them, and writes the
resulting value to a variable. The resulting value is in the form Basic
Base64EncodedString
. You typically write this value to an HTTP header, such as
the Authorization header.
The policy also lets you decode credentials stored in a Base64 encoded string into a username and password.
This policy is an Extensible policy and use of this policy might have cost or utilization implications, depending on your Apigee license. For information on policy types and usage implications, see Policy types.
Video: This video demonstrates how to base64-encode a username and password using the Basic Authentication policy.
Video: This video demonstrates how to decode a base64-encoded username and password using the Basic Authentication policy.
Samples
Outbound encoding
<BasicAuthentication name="ApplyBasicAuthHeader"> <DisplayName>ApplyBasicAuthHeader</DisplayName> <Operation>Encode</Operation> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <User ref="BasicAuth.credentials.username" /> <Password ref="BasicAuth.credentials.password" /> <AssignTo createNew="false">request.header.Authorization</AssignTo> </BasicAuthentication>
In the sample policy configuration above, the username and password to be encoded are
derived from the variables specified by the ref
attributes on the
<User>
and <Password>
elements. The variables must be
set before this policy executes. Typically, the variables are populated by values that are
read from a key/value map. See Key Value Map
Operations policy.
This configuration results in the HTTP header named Authorization, as specified by the <AssignTo> element, being added to the outbound request message sent to the backend server:
Authorization: Basic TXlVc2VybmFtZTpNeVBhc3N3b3Jk
The <User>
and <Password>
values are concatenated
with a colon prior to Base64 encoding.
Consider that you have a key/value map with the following entry:
{ "encrypted" : true, "entry" : [ { "name" : "username", "value" : "MyUsername }, { "name" : "password", "value" : "MyPassword } ], "name" : "BasicAuthCredentials" }
Attach the following KeyValueMapOperations policies before the BasicAuthentication policy
to be able to extract the values for your <User>
and
<Password>
elements from the key/value store and populate them to the
variables credentials.username
and credentials.password
.
<KeyValueMapOperations name="getCredentials" mapIdentifier="BasicAuthCredentials"> <Scope>apiproxy</Scope> <Get assignTo="credentials.username" index='1'> <Key> <Parameter>username</Parameter> </Key> </Get> <Get assignTo="credentials.password" index='1'> <Key> <Parameter>password</Parameter> </Key> </Get> </KeyValueMapOperations>
Inbound decoding
<BasicAuthentication name="DecodeBaseAuthHeaders"> <DisplayName>Decode Basic Authentication Header</DisplayName> <Operation>Decode</Operation> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <User ref="request.header.username" /> <Password ref="request.header.password" /> <Source>request.header.Authorization</Source> </BasicAuthentication>
In this policy sample, the policy decodes the username and password from the
Authorization
HTTP header, as specified by the <Source> element. The Base64
encoded string must be in the form Basic Base64EncodedString.
The policy writes the decoded username to the request.header.username variable and the decoded password to the request.header.password variable.
About the Basic Authentication policy
The policy has two modes of operations:
- Encode: Base64 encodes a username and password stored in variables
- Decode: Decodes the username and password from a Base64 encoded string
The username and password are commonly stored the key/value store and then read from the key/value store at runtime. For details on using key/value store, see Key Value Map Operations policy.
Element reference
The element reference describes the elements and attributes of the BasicAuthentication policy.
<BasicAuthentication async="false" continueOnError="false" enabled="true" name="Basic-Authentication-1"> <DisplayName>Basic Authentication 1</DisplayName> <Operation>Encode</Operation> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <User ref="request.queryparam.username" /> <Password ref="request.queryparam.password" /> <AssignTo createNew="false">request.header.Authorization</AssignTo> <Source>request.header.Authorization</Source> </BasicAuthentication>
<BasicAuthentication> attributes
<BasicAuthentication async="false" continueOnError="false" enabled="true" name="Basic-Authentication-1">
The following table describes attributes that are common to all policy parent elements:
Attribute | Description | Default | Presence |
---|---|---|---|
name |
The internal name of the policy. The value of the Optionally, use the |
N/A | Required |
continueOnError |
Set to Set to |
false | Optional |
enabled |
Set to Set to |
true | Optional |
async |
This attribute is deprecated. |
false | Deprecated |
<DisplayName> element
Use in addition to the name
attribute to label the policy in the
management UI proxy editor with a different, natural-language name.
<DisplayName>Policy Display Name</DisplayName>
Default |
N/A If you omit this element, the value of the policy's |
---|---|
Presence | Optional |
Type | String |
<Operation> element
Determines whether the policy Base64 encodes or decodes credentials.
<Operation>Encode</Operation>
Default: | N/A |
Presence: | Required |
Type: |
String. Valid values include:
|
<IgnoreUnresolvedVariables> element
When set to true
, the policy will not throw an error if a variable cannot be
resolved. When used in the context of a BasicAuthentication policy, this setting is usually set
to false
because it is generally beneficial to throw an error if a username or
password cannot be found in the variables specified.
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
Default: | true |
Presence: | Optional |
Type: |
Boolean |
<User> element
- For encoding, use the
<User>
element to specify the variable containing the username. Username and password values are concatenated with a colon prior to Base64 encoding. - For decoding, specify the variable where the decoded username is written.
<User ref="request.queryparam.username" />
Default: | N/A |
Presence: | Required |
Type: |
N/A |
Attributes
Attribute | Description | Default | Presence |
---|---|---|---|
ref |
The variable from which the policy dynamically reads the username (encode) or writes the username (decode). |
N/A | Required |
<Password> element
- For encoding, use the
<Password>
element to specify the variable containing the password. - For decoding, specify the variable where the decoded password is written.
<Password ref="request.queryparam.password" />
Default: | N/A |
Presence: | Required |
Type: |
N/A |
Attributes
Attribute | Description | Default | Presence |
---|---|---|---|
ref |
The variable from which the policy dynamically reads the password (encode) or writes the password (decode). |
N/A | Required |
<AssignTo> element
Specifies the target variable to set with the encoded or decoded value generated by this policy.
The following example indicates that the policy should set the Authorization
header of the message to the generated value:
<AssignTo createNew="false">request.header.Authorization</AssignTo>
Default: | N/A |
Presence: | Required |
Type: |
String |
Attributes
Attribute | Description | Default | Presence |
---|---|---|---|
createNew | Determines whether the policy should overwrite the variable if the variable is already
set.
When "false", the assignment to the variable occurs only if the variable is currently unset (null). When "true", the assignment to the variable always occurs. You typically set this attribute to "false" (the default). |
false | Optional |
<Source> element
For decoding, the variable containing the Base64 encoded string, in the
form Basic
Base64EncodedString
. For example,
specify request.header.Authorization
, corresponding to the Authorization header.
<Source>request.header.Authorization</Source>
Default: | N/A |
Presence: | Required for the Decode operation. |
Type: |
N/A |
Flow variables
The following flow variable is set when the policy fails:
BasicAuthentication.{policy_name}.failed
(with a value of true)
Error reference
This section describes the fault codes and error messages that are returned and fault variables that are set by Apigee when this policy triggers an error. This information is important to know if you are developing fault rules to handle errors. To learn more, see What you need to know about policy errors and Handling faults.
Runtime errors
These errors can occur when the policy executes.
Fault code | HTTP status | Cause | Fix |
---|---|---|---|
steps.basicauthentication.InvalidBasicAuthenticationSource |
500 |
On a decode when the incoming Base64 encoded string does not contain a valid value or
the header is malformed (for example, does not start with Basic ). |
build |
steps.basicauthentication.UnresolvedVariable |
500 |
The required source variables for the decode or encode are not present. This error can
only occur if IgnoreUnresolvedVariables is false. |
build |
Deployment errors
These errors can occur when you deploy a proxy containing this policy.
Error name | Occurs when | Fix |
---|---|---|
UserNameRequired |
The <User> element must be present for the named operation. |
build |
PasswordRequired |
The <Password> element must be present for the named operation. |
build |
AssignToRequired |
The <AssignTo> element must be present for the named operation. |
build |
SourceRequired |
The <Source> element must be present for the named operation. |
build |
Fault variables
These variables are set when a runtime error occurs. For more information, see What you need to know about policy errors.
Variables | Where | Example |
---|---|---|
fault.name="fault_name" |
fault_name is the name of the fault, as listed in the Runtime errors table above. The fault name is the last part of the fault code. | fault.name Matches "UnresolvedVariable" |
BasicAuthentication.policy_name.failed |
policy_name is the user-specified name of the policy that threw the fault. | BasicAuthentication.BA-Authenticate.failed = true |
Example error response
{ "fault":{ "detail":{ "errorcode":"steps.basicauthentication.UnresolvedVariable" }, "faultstring":"Unresolved variable : request.queryparam.password" } }
Example fault rule
<FaultRule name="Basic Authentication Faults"> <Step> <Name>AM-UnresolvedVariable</Name> <Condition>(fault.name Matches "UnresolvedVariable") </Condition> </Step> <Step> <Name>AM-AuthFailedResponse</Name> <Condition>(fault.name = "InvalidBasicAuthenticationSource")</Condition> </Step> <Condition>(BasicAuthentication.BA-Authentication.failed = true) </Condition> </FaultRule>
Schemas
Related topics
Key Value Map Operations policy