Enforce basic authentication in Azure API Management

When connecting with legacy systems, Basic Authentication is often the only supported security scheme that is available.  Azure API Management has an out-of-the-box policy that implements Basic Authentication between API Management and the backend API (backdoor).  However, there is no standard policy that performs this security between the API consumer and API Management (frontdoor).

On the internet, I’ve found several solutions which I didn’t like.  In many cases, they throw internal exceptions if the security is not implemented as expected.  In the end, Basic Authentication is just validating the “Authorization” HTTP header.  Its value should be Basic base64(user:password).The easiest way achieve this in Azure API Management, is by using the Check HTTP Header policy.

   <base />
   <set-variable name="user-password" value="{{user}}:{{password}}" />
   <check-header name="Authorization" failed-check-httpcode="401" failed-check-error-message="Not authorized" ignore-case="false">
      <value>@("Basic " + System.Convert.ToBase64String(Encoding.UTF8.GetBytes((string)context.Variables["user-password"])))</value>


In this example, the user and password are defined as named values.  The policy could also be extended to retrieve the password from Key Vault.  To achieve this, you can get some inspiration in this nice blog post.




Your Azure Coach is specialized in organizing Azure trainings that are infused with real-life experience. All our coaches are active consultants, who are very passionate and who love to share their Azure expertise with you.