Using HTTP Basic Auth for API Identity Management

APIs are proliferating corporate networks.  Business owners seek APIs that solve their requirements regardless of whether the APIs are homegrown or provided by 3rd party cloud providers.  In both cases — internal and external APIs — controls have to be enforced on who gets to use what API.  API control requires enabling Identity Management for APIs. In this tutorial, we will use Forum Sentry to lockdown an external API with on-board users, groups and ACLs with simple point-and-click, code-free configuration.

You can start by adding on-board Users, Groups and ACLs and enabling a 3rd party API as shown in the following tutorials:

  1. Users, Groups and ACLs for API Identity Management
  2. Protecting your API through SSL

Once your API proxy is enabled, your network HTTPS policy can be locked down so that only authenticated users are allowed to access the API.

Forum Sentry API Identity Management

Select GATEWAY–>Network Policies in the Forum Sentry navigation panel and click through the HTTP listener policy wizard for your API till you are asked for Password Authentication.  Select basic authentication as shown above.  A number of other protocol-based authentication mechanisms are also available including Kerberos, cookies, digest, and form post.  The Network policy wizard also provides X.509 client authentication for SSL enabled policies.

Next, we can lock a specific API call by navigating to GATEWAY–>WSDL Policies–>tempconvert and selecting the FahrenheitToCelsius Operation.

Forum Sentry API Identity LockingAs shown in the screen above, you can select TestACLNarrow to restrict access to this API operation.  This gives your enterprise highly granular control over internal and external service authorization.

SOAPSonar-HTTP-Basic-Auth

We can now check this control by executing the service from a client such as SOAPSonar.  The FahrenheitToCelsius API operation can only be exectuted by providing  credentials associated with TestACLNarrow (testuser1 or testuser2). Other credentials (testuser3 or testuser4) will fail as unauthorized users.

Locking down your APIs is a fundamental function that every enterprise has to perform to ensure that only authorized entities are using the services.  Every service costs money, whether it’s a monthly fee paid to a cloud provider or equipment and software cost for internal service.  Locking down such services via identity management is essential for ensuring that your enterprise has full control over your infrastructure investment.