MuleSoft API Manager provides below three ways to add Basic Authentication for APIs
- HTTP basic authentication using Simple Security Manager
- Client ID Enforcement with Custom Expression
- Client ID Enforcement with HTTP Basic Authentication Header
HTTP basic authentication using Simple Security Manager
In order to add HTTP basic authentication, you will first need to add Simple Security Manager object. Simple Security Manager object is where you will define the user name and password which will be used for Basic Authentication.
Once you add a username/password and apply the policy to the API, your API will be protected by Basic Authentication. One of the drawback of this is the UI supports to add only one username/password in the Simple Security Manager.
You can see this in action in my video at: https://www.youtube.com/watch?v=Wd6s7gRa0Og
Client ID enforcement with Custom Expression
With this option, you can add a policy which would enforce the API users to pass client id and client secret in the url parameters or headers while making a call to the API. Below are the sequence of steps in adding this:’
Open API Manager and click on the API you want to add policy
Click on policies on the left to open policies tab and click on Apply New Policy
Select Client ID Enforcement
Once you apply this policy, any API users will now have to provide client_id and client_secret as query parameters. As you can see this is a mule expression, you can easily modify the expression to do something else as well. For example, if you expect these client_id and client_secret in headers or if you want to rename the client_id and client_secret to something else, you can easily do that by modifying this expression.
Client ID Enforcement with HTTP Basic Authentication Header
Similar to client id enforcement via custom expression, you can enforce client id and secret as HTTP Basic Authentication Header just by selecting the option of HTTP Basic Authentication Header in the previous screen.
In both the options of client id enforcement, the client_id and client_secret will need to be generated by going to the developer portal of the API Manager and requesting for access.
A biggest advantage of using client id enforcement is that you don’t have to manage generating credentials and you can setup either auto approval or manual approval for anyone requesting API Access. Also, within the anypoint platform, you manage all the applications using your API and revoke any client’s access anytime. Detailed steps to apply this policy and managing client users are shown in this video: https://www.youtube.com/watch?v=XdH0tdBXdoE
