End of Sale Notice:
F5 NGINX is announcing the End of Sale (EoS) for NGINX Management Suite API Connectivity Manager Module, effective January 1, 2024.
F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing API Connectivity Manager Module customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.
See our End of Sale announcement for more details.
Learn how to use NGINX Management Suite API Connectivity Manager to secure API Gateways by applying a basic authentication policy.
Overview
In API Connectivity Manager, you can apply policies to an API Gateway to further enhance their configuration to meet your requirements.
Policies added at the proxy level are applied to all routes within that proxy.
For an overview of the different policy types and available policies, refer to the consult the Learn about Policies topic.
Basic Authentication
Warning:
Basic authentication is recommended for test environments only. For production environments, consider a more robust authentication method.
Authentication & authorization policies allow a user to restrict access to their APIs by determining the caller’s identity and access level. There are several API Gateway authentication/authorization policy types supported by API Connectivity Manager: API key authentication, basic authentication, OAuth2 JWT assertion, and OAuth2 token introspection. This guide focuses specifically on basic authentication.
Basic authentication is a method for HTTP users to provide a username and password when making an API request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where credentials is the Base64 encoding of username and password joined by a single colon.
API Connectivity Manager API owners can restrict access to their APIs with usernames and passwords. The API Proxy Policy can be configured to grant access to APIs only after verifying that the username and password are valid.
Before You Begin
Complete the following prerequisites before proceeding with this guide:
- API Connectivity Manager is installed, licensed, and running.
- You have one or more Environments with an API Gateway.
- You have published one or more API Gateways
How to Access the User Interface
This guide provides instructions for completing tasks using the API Connectivity Manager user interface (UI).
To access the UI, go to the FQDN of your NGINX Management Suite host and log in. On the Launchpad menu, select “API Connectivity Manager.”
How to Access the REST API
You can use tools such as curl or Postman to interact with the API Connectivity Manager REST API. The API URL follows the format https://<NMS_FQDN>/api/acm/<API_VERSION> and must include authentication information with each call. For more information about authentication options, please refer to the API Overview.
Create a Basic Authentication Policy
Take the steps in this section if you want to restrict access to APIs to clients with a valid username and password. You can set up a basic authentication policy using either the web interface or the REST API.
Send a POST request to add the basic authentication policy to the API Proxy.
| Method | Endpoint |
|---|---|
POST |
/services/workspaces/<SERVICE_WORKSPACE_NAME>/proxies |
Note:
To include sensitive data in ProxyGETrequests, provide the query parameterincludes=sensitivedata; otherwise, the response will have this data redacted.
{
"policies": {
"basic-authn": [
{
"action": {
"credentialForward": false,
"errorReturnConditions": {
"notSupplied": {
"returnCode": 401
}
}
},
"data": [
{
"clientID": "ClientA",
"username": "UserA",
"password": "secret123"
}
]
}
]
}
}
| Field | Type | Possible Values | Description | Required | Default value |
|---|---|---|---|---|---|
credentialForward |
boolean | true/false |
If the basic auth credentials are proxy-forwarded to the backend service in the HTTP header. | No | False |
errorReturnConditions.notSupplied.returnCode |
int | In range 400-599 |
The error code that is returned from the API Proxy when invalid basic auth credentials are supplied. | No | 401 |
data.clientID |
string | Example: ClientA |
Identifies the client who is holding the basic authentication credentials. | Yes | N/A |
data.username |
string | Example: UserA |
The value of the client’s password. | Yes | N/A |
data.password |
string | Example: secret123 |
The value of the client’s username. | Yes | N/A |
- In the API Connectivity Manager user interface, go to Services > {your workspace}, where “your workspace” is the workspace that contains the API Proxy.
- Select Edit Proxy from the Actions menu for the desired API Proxy.
- On the Policies tab, select Add Policy from the Actions menu for Basic Authentication.
- By default, NGINX will strip the basic authentication credentials from the request headers before forwarding the request to the backend service. To preserve the credentials, enable the toggle for Forward credential.
- Set custom error return code conditions if basic authentication credentials are not supplied.
- Configure the associated Client ID, Username, and Password for each client that requires API access.
- Select Add to apply the basic authentication policy to the Proxy. Then select Save & Publish to deploy the configuration to the API Proxy.