Share via

Multiple Basic Authentication credentials for Azure API Management Policy

Timo Holm 71 Reputation points
2022-01-07T14:08:17.893+00:00

I have multiple API clients using different credentials for Basic authentication - so all are using Basic auth, but with different user name and password. How can I configure Azure API management API to have inbound policy for those multiple basic authenciation credentials?

inbound policy -element seems to allow only one basic authentication element based on error I got: "Error in element 'authentication-basic' on line 7, column 10: Only one policy statement of this type is allowed per section"

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,447 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MayankBargali-MSFT 70,936 Reputation points Moderator
    2022-01-10T08:01:21.44+00:00

    @Timo Holm You can only define one element for authentication-basic but I think the value can be dynamic during your policy evaluation. If your client is passing the username and password in the Authorization headers while calling your APIM then you can pass the same value passed by the client and set it to your authentication-basic policy attribute username and password.

    Update 1/13:
    You can refer to the example here. I have modified the inbound policy so the client calling the APIM service should pass the basic authentication header. In the below policy I am checking whether my client has passed the Authorization as basic type along with the encrypted username and password as per IETF RFC 7617 described here. 

    <inbound>  
        <base />  
        <check-header name="Authorization" failed-check-httpcode="401" failed-check-error-message="No basic authorized header passed with username and password" ignore-case="false" />  
        <choose>  
            <when condition="@(context.Request.Headers.GetValueOrDefault("Authorization").AsBasic()==null   
            || context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().Password==null   
            || context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().UserId==null)">  
                <return-response>  
                    <set-status code="401" reason="Not authorized" />  
                </return-response>  
            </when>  
            <otherwise>  
                <authentication-basic username="@(context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().UserId)" password="@(context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().Password)" />  
            </otherwise>  
        </choose>  
    </inbound>

    While calling the API I have passed the Authorization headers (i.e. user-id "Aladdin" and password"open sesame") as below: 

      Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

    If my basic authentication is in the correct format then the request will be passed to the backend and if not you will get a 401 error with the message "No basic authorized header passed with username and password".

    Note: Please test it and modify the policy as per your requirement.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.