Applying Basic (Base64) Authentication Policy to REST API via Security Manager Provider
In this scenario, the application of the Basic (Base64) Authentication policy to a API created with REST architecture named Swagger PetStore will be tested.
The numbering in the chart below belongs to the order of the transactions.
- The Security Manager included in Apinizer requests Basic (Base64) type authentication information from API Client. If this authentication is correct, field number two is switched.
- Apinizer makes requests to the Backend API.
- Backend API responds to Apinizer.
- Apinizer responds to API Client.
Creating the API Proxy
REST API named Swagger Petstore can be accessed at https://petstore.swagger.io/.
First of all, this address must be defined as API Proxy.
For this, click on the API Proxies option under the Development menu.
The page that opens contains the text No records found!, since no proxy has been defined before.
Here, the Create button in the upper right corner is clicked and a new proxy is started to be created.
In this section, it is necessary to choose the type of the API Proxy that will be created.
Since the type of API to be used in this scenario will be Swagger 2.X, this type is chosen.
Clicking on the Enter URL expression will switch to the screen where the address of the API to be used will be entered.
As seen in the image below, the address to access the URL section is entered and the Parse button is clicked.
After the parse process is done, the screen in the image below appears.
Settings for API Proxy can be made on this screen.
- It is specified who will use the API Proxy created with the Usage field. Here, there are options such as publisher, consumer, publisher and consumer.
- The sharing type of the API Proxy created with the Sharing Type field is specified. Here, there are options such as external, internal, external and internal.
- One or both of the two API addresses under the Addresses tab can be selected, if both addresses are selected, Apinizer will perform the Load Balance process itself.
- The Relative Path is the address of the API Proxy that will be accessed.
- The Category List field also allows the created API Proxy to be categorized.
- After these settings are made, the API Proxy is registered.
After saving, click on the Develop tab on the page that opens.
Here, the endpoints of the REST API are listed.
- The policies to be added with the phrase All above these endpoints can be applied to all endpoints.
- The created API Proxy is deployed. For this, click on the Deploy button in the middle above.
- In the next step, it is specified which users will have access to the API Proxy created by adding Credentials.
Creating Credentials
The information of the Credential to be added is as username = apinizer, password = 123123aA.
For this, the Identity Management menu is accessed.
Here, the Credentials menu under the Credential Management menu is clicked.
Click on the Create button enclosed in the rectangle in the upper right corner of the screen that opens.
Here, the required fields are filled with the previously specified information and the credential created by clicking the Save and Deploy button is saved.
The proxy that this credential element will access must be selected. By hovering over the created credential and clicking on the Edit option from the side menu.
On the screen that opens, click on the API Proxy ACL tab, click on the button in this tab, which is indicated in the red rectangle on the image.
On the page that opens, API Proxies in the project currently being worked on are listed. The proxy named Swagger Petstore is selected.
It is stated that the Credential item created by clicking the Add button will have access to this proxy.
There is now an API Proxy in the list that was previously empty.
The Save and Deploy button in the upper right corner is clicked and the transaction is recorded.
Defining Variable
It is necessary to define the variable to be used in the policy.
The screen to select the variables to be used is shown in the image below.
Click the Add button in the red rectangle in this image.
The name of the variable to be created is written in the Name input field.
In the Type field, the type of the variable to be used is specified.
In the Header Name field, it is stated with which name the variable to be used will be named in the Header.
Changes made are saved by clicking the Save button.
Adding Authentication Policy
Now Basic (Base64) Authentication policy can be added.
Go to the page where API Proxies are listed and the proxy named Swagger Petstore is selected.
Then come to the Develop tab, click the Add Policy button.
On the page that opens, Basic (Base64) Authentication policy is selected.
If the expressions on this screen are examined one by one,
- The value to be selected in the Identity/Role/Group Service field is the Security Manager value. Because the credentials check will be performed by Security Manager.
- In the Variable for authorization field, this expression is used because the authentication type used is Basic (Base64) and the username -password information used in this authentication type is encrypted. In this scenario, this value will be taken from the header.
- If the Clear Authentication Information option is selected, the authentication information is deleted in the incoming message.
- The Add Client Info To Header option specifies whether the client information will be included in the Header that will go to the backend API.
- If this option becomes active, another parameter named Authenticated User Header Name appears.
- The X-Authenticated-UserId expression here specifies the header name of the client information that will go to the backend API.
When the policy is registered, the icon enclosed in a red rectangle is seen.
The proxy must be Deployed for the operation to be valid.
Now the testing of the methods inside the proxy can be performed.
Testing API Proxy
After selecting the /pet/{petId} endpoint, the Test Endpoint button is clicked.
The desired petId value in the URL is entered as 2, it is seen that the response returned when the Send button is pressed is an error message and this error is related to the applied Basic (Base64) Authentication.
Because no authentication information is placed in the header.
Since Basic (Base64) Authentication is used in this proxy, username and password information must be encrypted in this direction.
Performing Base64 Type Encryption
The Toolbox menu under the test menu is selected, there is a tool that can encode and decode in Base64 encryption format. This tool is selected.
Here, the expressions you want to be encrypted are written in the decoded data field, and the encrypted data is obtained in the encoded data field.
The encoded form of username and password information is obtained from here and again goes to the page where the proxies are listed.
Again, the proxy named Swagger Petstore is selected from here.
Switch to the Develop tab, select the /pet/{petId} endpoint from the endpoints listed here and call it the Test Endpoint.
The desired petId value in the URL is again given as 2.
In Headers, the expression Authorization and the encoded username and password information are entered in Base64 format.
By clicking on the Send button, data fetching is performed according to the specified id.