Alibaba Cloud API Gateway authenticates client requests using a variety of methods, including Alibaba Cloud APP and OpenID Connect. Alibaba Cloud APP supports the following authentication modes:
- Signature authentication
- Quick authentication
For more information about signature authentication, seethe “Request signature description” section of the User Guide at Request signature description.
This document describes in detail how to configure and call quick authentication. Quick authentication is a much simpler process than signature authentication. It avoids the need to generate complicated signatures. Quick authentication uses the AppCode issued by API Gateway for identity authentication. The caller can put the AppCode in the request Header or in the Query parameter for quick authentication when calling the API. The process is as follows:
- When creating an API, the API provider sets the authentication mode to Alibaba Cloud APP and select Allow AppCode authentication. All APIs in the Alibaba Cloud marketplace support AppCode by default.
- The API caller can create applications on the Application Management page of the API Gateway console. When a user purchases an API from the marketplace, an application will be created for the user.
- The API provider then grants API permissions to the created application. For more information about the authorization method, see Enable API services.
- The API caller logs on to the API Gateway console. On the Application Management page, they can select AppCode/AppSecret to call signature authentication or select AppCode to call quick authentication.
- When creating an API, you must set Security Certification to either Alibaba Cloud APP or OpenId Connect & Alibaba Cloud APP.
- Set AppCode Certification to Allow AppCode authentication (Header) or Allow AppCode authentication (Header & Query).
The four AppCode authentication options are as follows:
- Open after putting on cloud marketplace: AppCode authentication is disabled by default. After the API is available on the Alibaba Cloud marketplace, the AppCode can be put in the request Header for authentication.
- Disable AppCode authentication: AppCode authentication is disabled no matter whether the API is available on the marketplace. Users must use a signature to call this API.
- Allow AppCode authentication (Header): AppCode authentication is enabled no matter whether the API is available on the marketplace. The AppCode must be put in the request Header for authentication.
- Allow AppCode authentication (Header & Query): AppCode authentication is enabled no matter whether the API is available on the marketplace. The AppCode can be put in either the Header or the Query parameter for authentication.
Note: When defining API parameters, you do not need to define the Header or Header parameter that carries the AppCode.
After you enable AppCode authentication for the API, callers can use quick authentication to call the API without the need to implement complicated signature algorithms on their clients. This section describes how to call an API through quick authentication. An API caller can put the AppCode in either the Header or the Query parameter.
- Add the Authorization parameter to the request Header.
- The value of the Authorization parameter is in the format of APPCODE + space + AppCode value.
Authorization:APPCODE AppCode value
- Add the AppCode to the Query parameter of the request. The following formats of AppCode are supported: appcode, appCode, APPCODE, and APPCode.
- The value of the Authorization parameter is the AppCode value.
Quick authentication is simple because it does not involve the complicated signature generation processes. However, transmitting the AppCode as plaintext over the network threatens data security.
You must make sure that the client and API Gateway are using HTTPS to communicate instead of HTTP or WebSocket. Neither HTTP nor WebSocket encrypts packets for transmission, there is a large risk that the AppCode will be captured by hackers.