How to use Basic Authentication for APIs in Frends

Frends provides a limited support for using Basic Authentication scheme for APIs, and Processes using HTTP Trigger.

Requirements

In order to set up a basic authentication scheme by building it into your Processes, only Process Editor role, or similar permission level, is required.

In order to authenticate against an Active Directory or local users on the Agent machine, you need to be using on-premise or otherwise self-hosted Agent machines instead of Frends PaaS or Cloud Agents. Whether authentication is done against the AD or the machine's local users depends on whether the Frends Agent user account is a local account or an AD account.

In order to use Basic Authentication on Frends Cloud Agents, the authentication needs to be built in to the Process logic.

Basic Authentication within a Process

Available for both API Processes and Processes using HTTP Trigger, Basic Authentication flow can be created into the Process flow, instead of requiring support for it from the Frends Platform.

In this scenario the API or HTTP Trigger should be configured to allow public access through API Policies, unless some other authentication method would be used in addition to basic authentication to limit the access.

With the public or mostly public access set, you next need to set up your Process to perform checking of authentication headers within the Process.

Basic Authentication method is based on a secret value in HTTP header. The header is in form Authorization: Basic "base64encode(username:password)" where the username and password are joined with single colon (:) into a UTF-8 encoded string, and then base64 encoded.

As the header values are available within the Process, the header can be read and parsed for validation. Alternatively if the Basic Authentication is done against one or few allowed credentials in a list, the original header can be left as is and the known credentials are encoded into Base64 string as explained above.

If the validation succeeds and the values match some predefined credentials (or checked against another API or such), the Process flow is allowed to continue. Otherwise the Process should end in returning either HTTP status code 401 or 403, depending on if the authentication failed (401) or if the authenticated user was not allowed to call this endpoint (403).

Performing Basic Authentication in this manner means that there will be a lot of Process executions as all attempts will trigger the Process, but only the valid requests will allow continuing the execution, while invalid requests are finished early.

This is different from using an authentication method provided by Frends Platform in that the authentication will be checked before the Process is triggered, allowing Process to execute only if the authentication was valid.

Because the authentication data is provided as almost plain text and there might not be a centralized and especially secure way to manage the credentials, this is not recommended to be used for applications requiring high security. API key authentication provides similar level of security while being managed by the Frends Platform, and should be the preferred authentication method for simple, low security requirements use case.

Basic Authentication against AD or local users

Only with a self-hosted Frends Agent, the HTTP Trigger can be set to use Basic Authentication as the authorization method. Depending on the type of user account the Frends Agent and Service was provided decides whether the Basic Authentication is checked against an Active Directory, or against the local user accounts on the Agent machine.

If the Frends Agent is running by using a local account on the Agent machine, any incoming requests to a Process using HTTP Trigger with Basic Authentication will be checked against the local user accounts on the Agent machine.

Instead, if the Frends Agent was provided a user account in Active Directory, the Basic Authentication is also checked against the users in the same AD.

As this authentication method is supported by the Frends Platform, the authentication and authorization is done before the Process is triggered, and only valid requests will trigger the Process.

To note, there are no ways to adjust which user accounts are allowed to connect to the Process and which are not. As long as the user account exists and can log in, the request to the API or HTTP Trigger is allowed.

Other forms of Basic Authentication

Unfortunately Frends does not have support for implementing the Basic Authentication in other ways.

In order to authenticate API endpoints with Basic Authentication, the method will need to be built in to the Process, with no explicit support from the Frends Platform. While it will mean more allowed requests to trigger the Process initially, it does also then give freedom to build your own authentication method around it.

For Frends PaaS Agents that are hosted in Frends Cloud, only option to perform Basic Authentication is also to build it into the Process, similarly to when using APIs, even if HTTP Trigger is used instead.

In order to specifically control who can access your API or Processes using HTTP Trigger and built-in basic authentication, the authentication method will also need to be built in to the Process itself, due to there being no way to adjust which existing user is allowed to access the Process in Frends.