Search Results

Design and Implementation

Sequence Diagram



Implementation Details

HTTP Basic Auth Flow
  1. Connector retrieves "Authorization" header from the request.
  2. In case Authorization header is not present in the request or credentials are not present in this header with Basic scheme, then connector retrieves pre-input boolean parameter Keep_Mashery_Default_Response_Code.
  3. If Keep_Mashery_Default_Response_Code is configured as true, then Connector responds with 403 response code to user client; otherwise responds with 401 Unauthorized along with WWW-Authenticate header to the user client.
  4. Connector then retrieves client credentials from Authorization header value which is present after "Basic" scheme.
  5. Connector decodes client credentials using Base64 decoder and separates client_id and client_secret by ":".
  6. The client_id credentials is usually TIBCO Mashery package key. The Connector retrieves app developer information using client_id.
  7. In case app developer information is not retrieved using client_id, then Connector responds with 403 response to the user client.
  8. In case Connector retrieves app developer information using client_id successfully, then Connector retrieves api_secret for that app developer.
  9. If Connector finds api_secret for the app developer, then connector retrieves client_secret from Authorization header decoded value and matches with api_secret.
  10. If client_secret is not present in Authorization header decoded value or does not match with api_secret, then Connector responds with 403 to the user client.
  11. If client_secret from Authorization header decoded value and api_secret of app developer matches successfully, then Connector sends the request to the client resource along with HTTP Authorization header.

Business Rules and Assumptions

  • The Connector does not support encrypted API secret if High Security Secret Management (HSSM) support is enabled in TIBCO Mashery. Refer to Generating Package Key Secrets.
  • The Connector default behavior is that if Authorization header is not present in the request or credentials are not present in this header with Basic scheme, then 401 Unauthorized response is returned. This behavior is compliant to RFC guidelines.
  • For backward compatibility if any customer expects TIBCO Mashery platform default behavior to return 403 response if Authorization header is not present in the request or credentials are not present in this header with Basic scheme, then Keep_Mashery_Default_Response_Code pre-input parameter can be configured as "true"
  • Caution: The Connector should not configured both as Authenticator and as Processor.