Skip to main content
Feedback

Design and Implementation

Sequence Diagram

Implementation Details

HTTP Basic Authentication Flow

  1. Connector retrieves the Authorization header from the request.

  2. If the Authorization header is not present in the request or credentials are not present in this header with the Basic scheme, then the connector retrieves the pre-input boolean parameter Keep_Mashery_Default_Response_Code.

  3. If Keep_Mashery_Default_Response_Code is configured as true, then the connector responds with a 403 response code to the client; otherwise, it responds with 401 Unauthorized along with a WWW-Authenticate header to the client.

  4. Connector then retrieves client credentials from the Authorization header value, which is present after the Basic scheme.

  5. Connector decodes client credentials using the base64 decoder and separates client_id and client_secret by :.

  6. The client_id credentials are usually the Cloud API Management package key. The connector retrieves app developer information using client_id.

  7. If app developer information is not retrieved using client_id, then the connector responds with a 403 response to the user client.

  8. If the connector successfully retrieves app developer information using client_id, then it also retrieves the app developer's api_secret.

  9. If the connector finds api_secret for the app developer, then it also retrieves client_secret from the Authorization header decoded value and matches it with api_secret.

  10. If client_secret is not present in the Authorization header decoded value or does not match with api_secret, then Connector responds with 403 to the user client.

  11. If the client_secret from the Authorization header decoded value and the app developer's api_secret match successfully, the connector sends the request to the client resource along with the HTTP Authorization header.

Business Rules and Assumptions

caution

The Connector should not be configured both as Authenticator and Processor

  • The connector does not support an encrypted API secret if High Security Secret Management (HSSM) support is enabled in Cloud API Management. Refer to Generate Package Key Secrets when High Security Secret Management (HSSM) is Enabled for more information.

  • The connector's default behavior is that if the Authorization header is not present in the request or credentials are not present in this header with the Basic scheme, then a 401 Unauthorized response is returned. This behavior is compliant with RFC guidelines.

  • For backward compatibility, if any customer expects the Cloud API Management default behavior to return a 403 response when the Authorization header is not present in the request or when the credentials are not present in this header with the Basic scheme, then configure the Keep_Mashery_Default_Response_Code pre-input parameter to true.

On this Page