0

We have an existing API that is secured by an initial username & password call to xxxx.com/api/vi/auth/token that returns a bearer token to be included in all future calls to the API. This API is live with some trusted apps.

We now have a requirement to put this API behind Azure API Management (APIM) for a new partner and have set that up to use OAuth2 with AD.

Ideally when APIM calls our backend API we need it to go through the existing API auth flow to get the existing API token and include that with any calls.

There seems to be some limited 'Authorization credentials' that can be set in Azure but I cant find any help on how to set/use them.

Dean Yardley
  • 1

1 Answers1

0

It can be done in a number of ways, but most of them would involve writing custom policy. Most simply something like below:

<send-request mode="new" response-variable-name="token" timeout="3">
    <set-url>xxxx.com/api/vi/auth/token</set-url>
    <set-method>POST</set-method>
    <set-header name="Authorization" exists-action="override">
        <value>Basic dXNlcm5hbWU6cGFzc3dvcmQ=</value>
    </set-header>
</send-request>
<set-header name="Authorization" exists-action="override">
    <value>@("Bearer " + ((IResponse)context.Variables["token"]).Body.As<string>())</value>
</set-header>

send-request sends request with basic auth header (substitute for your value), and will store response in token variable.

set-header gets body from token response, parses it as a string and puts it into Authorization header for request to backend.

A few improvements that can be done here:

  1. Store your basic credentials in named value for security.
  2. Cache token so that you don't need to fetch it for every request, possibly cache based on token expiration
Vitaliy Kurokhtin
  • 7,205
  • 1
  • 19
  • 18