Usage
-
The Policy supports basic authentication between user client and Cloud API Management gateway according to rfc.
-
Username specified as
client_id(package key)and password specified as secret must be configured while defining package key for an application.Refer to Configuring Basic Credentials for more information.
cautionThe following excerpt is from Basic Auth RFC(RFC 7617, Section 4):
The Basic authentication scheme is not a secure user authentication method and does not protect the entity in any way. The most serious flaw of Basic authentication is that it results in the cleartext transmission of the user's password over the physical network. Many other authentication schemes address this problem. As Basic authentication involves the cleartext transmission of passwords, it should not be used (without enhancements such as HTTPS [RFC2818]) to protect sensitive or valuable information.
As per industry best secure practices, we recommend using better authentication schemes like OAuth2.0 access token (natively supported by Cloud API Management), third-party-based JWT Token Authentication Policy, or via third-party-based OAuth2.0 Access Token Validation Policy.
FAQs
-
What other authentication options are available out of the box besides HTTP Basic Auth in Cloud API Management?
Cloud API Management supports the following additional authentication options:
In addition, Cloud API Management Policies enable the following API security features:
-
Is the policy compliant with the RFC if the
Authorizationheader is missing from the request, or if the credentials are not present in this header using the Basic scheme?Yes.
-
What status code does the policy respond with if the
Authorizationheader is missing from the request, or if the credentials are not present in this header using the Basic scheme?The policy responds with
401 Unauthorizedresponse along withWWW-Authenticate headerto the client. -
Does policy support backward compatibility for error response codes in Cloud API Management, similar to the Proxy server. (Refer to Boomi Cloud API Management - API Documentation Portal for more information)?
Yes. To achieve this, the Policy supports the configurable parameter
Keep_Mashery_Default_Response_Code. If this parameter is configured totrue, then the Policy responds with a403response compliant with Cloud API Management error response codes.