API Management Basic Authentication

Question

I have an Azure API Management, added a logic app as back end API. Now I want to enable basic authentication for the API Management so that when client will call the logic app url which is protected by API Management need to provide username and password. I am familiar with access restriction policy of API Management , now my question is where and how to set basic authentication credentials in the APIM?

Answer 1

Here is a code snippet to set up basic auth wuth username="someUser" and password="ThePassw0rd"

<policies>
    <inbound>
        <set-variable name="isAuthOk" 
value="@(context.Request.Headers.ContainsKey("Authorization") 
            && context.Request.Headers["Authorization"].Contains(
            "Basic " + Convert.ToBase64String(
                  Encoding.UTF8.GetBytes("someUser:ThePassw0rd")
                )
              )
              )" />
        <base />
        <choose>
            <when condition="@(context.Variables.GetValueOrDefault<bool>("isAuthOk"))">
            </when>
            <otherwise>
                <return-response>
                    <set-status code="401" reason="Unauthorized" />
                    <set-header name="WWW-Authenticate" exists-action="override">
                        <value>Basic realm="someRealm"</value>
                    </set-header>
                    <set-body>Wrong username or password</set-body>
                </return-response>
            </otherwise>
        </choose>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

Answer 2

You can use below code snippet https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Perform%20basic%20authentication.policy.xml

<policies>
<inbound>
    <base />
    <choose>
        <when condition="@(context.Request.Headers.GetValueOrDefault("Authorization")==null || context.Request.Headers.GetValueOrDefault("Authorization").Length<1 || context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().UserId!="{{UserId}}" || context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().Password!="{{Password}}")">
            <return-response>
                <set-status code="401" reason="Not authorized" />
            </return-response>
        </when>
    </choose>
    <set-header name="Authorization" exists-action="delete" />
</inbound>
<backend>
    <base />
</backend>
<outbound>
    <base />
</outbound>
<on-error>
    <base />
</on-error>

And incase you want to store password to keyvault you can use below policy instead of above

<inbound>
    <base />
    <send-request ignore-error="false" timeout="20" response-variable-name="passwordResponse" mode="new">
        <set-url>https://mykvname.vault.azure.net/secrets/MySecretValue/?api-version=7.0</set-url>
        <set-method>GET</set-method>
        <authentication-managed-identity resource="https://vault.azure.net" />
    </send-request>
    <rewrite-uri template="/" copy-unmatched-params="true" />
    <set-backend-service base-url="https://testservice/" />
    <authentication-basic username="myusername" password="@{ var secret = ((IResponse)context.Variables["passwordResponse"]).Body.As<JObject>(); return secret["value"].ToString(); }" />
</inbound>

Hope this helps