Usage

• The Connector supports basic authentication between user client and Cloud API Management gateway according to rfc.

• Username specified as client_id(package key) and password specified as secret must be configured while defining package key for an application.

  Refer to Configuring Basic Credentials for more information.

  caution

  The following excerpt is from Basic Auth RFC(RFC 7617, Section 4):

  The Basic authentication scheme is not a secure user authentication method and does not protect the entity in any way. The most serious flaw of Basic authentication is that it results in the cleartext transmission of the user's password over the physical network. Many other authentication schemes address this problem. As Basic authentication involves the cleartext transmission of passwords, it should not be used (without enhancements such as HTTPS [RFC2818]) to protect sensitive or valuable information.

As per industry best secure practices, we recommend using better authentication schemes like OAuth2.0 access token (natively supported by Cloud API Management), third-party-based JWT Token Authentication Connector, or via third-party-based OAuth2.0 Access Token Validation Connector.

FAQs

1. What other authentication options are available out of the box besides HTTP Basic Auth in Cloud API Management?

   Cloud API Management supports the following additional authentication options:

   • JSON Body API Key Authentication Connector
   • OAuth2.0 Token Authentication Connector.

   In addition, Cloud API Management Connectors enable the following API security features:

   • Third-party IDP-based JWT token

   • Third-party IDP-based OAuth2.0 Access token

2. Is the connector compliant with the RFC if the Authorization header is missing from the request, or if the credentials are not present in this header using the Basic scheme?

   Yes.

3. What status code does the connector respond with if the Authorization header is missing from the request, or if the credentials are not present in this header using the Basic scheme?

   The connector responds with 401 Unauthorized response along with WWW-Authenticate header to the client.

4. Does connector support backward compatibility for error response codes in Cloud API Management, similar to the Proxy server. (Refer to Boomi Cloud API Management - API Documentation Portal for more information)?

   Yes. To achieve this, the Connector supports the configurable parameter Keep_Mashery_Default_Response_Code. If this parameter is configured to true, then the Connector responds with a 403 response compliant with Cloud API Management error response codes.