Authorization Header

Hi,

I would like to remove the Authorization header from the request headers. In doing so, I have created a service in the API Gateway IS and used the built-in pub.apigateway.ctxvar:removeContextVariable but it seems like i cannot remove it. I am prompted with and error: Exception: Context variable name must be a valid identifer ( alpha-numeric, null, or _ permitted ) Found: PROTOCOL_HEADERS[Authorization].

Is there any way we can remove the authorization header?

Hi,

You can simply add an Outbound Authentication Policy and select Authentication Schema as “Anonymous”

Regards,
Praveen

Yeah, the thing is my outbound authentication is using different authentication but the problem is not here because, i can observe that the outbound auth - transport replaces the Authorization header.

The problem i am facing is that, another custom policy will be using the Authorization header.

Hi Mark Anthony,

What do you mean by " another custom policy will be using the Authorization header".
What is the other policy that will be using your authorization header, and in which stage is that policy added?
Can you provide more details about your scenario?

Thanks,
Vallab

1 Like

Hi Vallab,

Basicly, I have multiple custom policy. but let us just take 2 for example. I have 1 custom policy which receives an “Authorization” header with a let say, Oauth and then that policy will have some processing with the Oauth token. then I wanted to drop that “Authorization” header in that same policy because I wanted another custom policy to put something in the Authorization header for another processing before it reaches the Outbound Auth - transport in the routing.

This 2 custom policies will be in the request processing stage.

Hi Mark Anthony,

Can you explain what is your usecase?

From authentication perspective, what is your client sending, and what do you expect API Gateway to send to the native service?
Can you clearly explain?

Regards,
Vallab.

Hi Vallab,

My current API Gateway Version is 10.1

The requester will give Oauth as Authentication to the gateway. That is for the first custom policy, aside from authentication, we wanted to check other properties in the Oauth. Then as for the Other custom policy, we wanted to invoke a native API in the Gateway to get information from the gateway and pass it to native APIs in Integ Server, however this method would require the user and password for the gateway so this would be utilizing the Authorization header, and gives conflict. so i wanted to drop the Authorization of the first custom policy to give way to the next custom policy. (this is with the assumption that a sequence can be given to the global policies.)

Hi Mark,
Did you find a working solution for this? We have exactly same requirement and are trying out options.
Thanks.,
Asif

Hi Khaja-Asif Hussain,

API Gateway provides variety of options if your requirement is to add or remove headers. Please note authorization headers will be automatically removed if you have configured the relevant IAM policy. In case you have not configured IAM policy, these options can be applied to authorization headers also.

  1. You can use Request Transformation policy to remove the headers. Read more here

  2. If your usecase is to use an IS Service, the same can also be achieved via IS Service. Read more here

Regards,
Vallab

2 Likes

Great info with blog reference… Thanks to Vac!!! :slight_smile:

2 Likes