Layer7 API Management

Hi All,

We are trying to implement authentication logic in our gateway as stated in below. If user not provide credentials in login pop up we want to throw customize error response. 

At least one assertion must evaluate to true

     All assertions must evaluate to true

              Require HTTP Basic Credentials 

    All assertions must evaluate to true

            Customize Error Response assertion with login credentials required

           Raise Error asssertion

With above code I am not getting login pop up first and else part code executing always .Do we have any logic how to implement it.

Regards,

Suneel

Your browser is doing a GET call to the endpoint without HTTP Basic Credentials so that assertion is not satisfied which is why the else logic is getting executed. The credentials you entered, or did not enter, after the first request is probably also cached in your browser. Using Chrome you can go into incognito mode for the cache to be cleared, hit the endpoint again, and your browser should automatically pop up the credentials box.

Hi Suneel,

What is your objective here?

Why would you want to do this?  As the next line is more crucial as it will state if the individual is authenticated to your identity provider.

Derek

Derek Orr

ca technologies

Principal Consultant, CA API Management Presales

m: 778-980-0029

Email = Derek.Orr@ca.com<mailto:Derek.Orr@ca.com>

CA API Management Community: https://communities.ca.com/community/ca-api-management-community

Suneel,

You need to move the "Require HTTP Basic Credentials" up out to the at least one so it will prompt for credentials if authorization header is not passed. Then use a Authenticate against Identity provider assertion to validate the credentials collected and error if authentication fails. 

This is a sample of how you can structure this

Hi Barry and Derek,

Thanks for reply.

My objective is:

            Gateway API has to search for any authorisation header presented as part of request. If not presented then only I will provide login by using Require HTTP Basic credentials Assertion.Here login pop up will be prompted lets assume user was not provided login details i.e. clicked on cancel button then API has to return custom error message as Login Credentials Required.

I have attached API code for reference.

facing Problem: Policy always returning 'Required Credentials' error but it should prompt login pop up because not sending authorisation header in the request.

 .

          Thanks,

         Suneel

This is a browser caching issue. In the API world, there is no such thing as prompting for credentials if no credentials are presented. You either do or do not present credentials with the request. You have sent either empty or incorrect credentials with your browser before, your browser has cached that call, thus you will never be prompt. Only on the first call from your browser to a new endpoint will it see that credentials are required and prompt you and ask to provided credentials. Empty your browser cache or use Chrome and go incognito. If you want a user to redirected to a login page if credentials are not presented then you need to throw back a 302 redirect to the login page, not throw back an error. 

Hi Bloan,

Thanks for reply.

If  user cancel button in login prompt without providing credentials then gateway throwing status code 401 with Unauthorised. But I am trying to send custom error as Credentials are not provided.Do we have any option to set custom error response in this case.

Thanks,

Suneel

the sample I provided earlier does exactly what you are looking to accomplish. just move the require http basic credentials up to the top of your policy.  your don't need to check for existence of Authorization header the assertion will do that and if it is not present it will cause the browser to prompt user for credentials.

Hi Barry,

Your code is working fine as excepted. But I am trying to implement below one.

If  user cancel button in login prompt without providing credentials then gateway throwing status code 401 with Unauthorised. But I am trying to send custom error as Credentials are not provided.Do we have any option to set custom error response in this case.

Thanks,

Suneel

Suneel,

I do not believe what you are looking to do is possible regarding the cancel. The Require HTTP Basic credentials assertion returns the 401 and the WWW-Authenticate and the L7-Policy-URL headers which the browser uses to prompt user for credentials, and send they back to the gateway when the user submits credentials. If the user pushes the cancel button the request ends and the  browser presents the Authentication Required response not the gateway.  

Hello Barry,

Thank you very much for your response.