All Products
Search

This Product

    Microservices Engine:Configure custom authentication

    Document Center

    Microservices Engine:Configure custom authentication

    Last Updated:Feb 29, 2024

    Cloud-native gateways allow you to configure a custom authentication service to perform unified authentication for all your backend services. This way, you do not need to separately connect each backend service to an authentication service. This topic describes how to configure a custom authentication service for your cloud-native gateway.

    Background information

    In most cases, servers protect the communication security of externally exposed APIs based on the tokens contained in client requests. The token formats are determined based on business requirements.

    • If you use JSON Web Tokens (JWTs), your servers can validate tokens by using a public key anytime anywhere, without the need to access a unified authentication service.

    • If you use custom tokens, after your servers receive requests, the servers must access a unified authentication service to validate the tokens. This helps protect the API communication security. Cloud-native gateways support custom authentication.

    The following example shows how an authentication service that is integrated with a cloud-native gateway processes requests.

    云原生网关接入自建的鉴权服务

    1. The client sends an authentication request, such as a logon request, to the gateway.

    2. The gateway forwards the request to the authentication server.

    3. The authentication server reads the authentication information, such as the username and password, in the authentication request to validate the request. After the request is validated, the authentication server returns a token to the gateway. Then, the gateway sends a response that contains the token to the client.

    4. The client sends a business request, such as a request that contains the /order path. The request contains the token returned by the gateway.

    5. The gateway constructs an authentication request and sends it to the custom authentication service. The authentication request contains the path, HTTP methods, and token. The path contains query parameters, and HTTP methods include GET and POST. You must configure the HTTP header that stores the token in the Microservices Engine (MSE) console. You can configure the authentication request to contain the body of the business request based on your business requirements.

      The path of the authentication request consists of the path of the authentication API of the custom authentication service and the path in the business request. For example, if the path of the authentication API of the custom authentication service is /validateToken, the path of the authentication request is /validateToken/order.

    6. After the authentication service receives the authentication request, the authentication service validates the token and authenticates the business request based on the path contained in the original request.

      • If the authentication service can modify the HTTP status code carried in the authentication response, you can determine the authentication result based on the HTTP status code.

        • If the authentication service returns the HTTP status code 200, the token is valid and authenticated to access requested backend resources. In this case, the gateway forwards the original business request to the protected backend server. The backend server returns a response to the gateway, and then the gateway forwards the response to the client. The order placement is complete.

        • If the authentication service returns the HTTP status code 401 or 403, the token is invalid or is not authenticated to access requested backend resources. In this case, the gateway forwards the authentication response to the client. The order placement fails.

      • If the authentication service can return only the HTTP status code 200 due to business limits, you can determine the authentication result based on the value of the built-in HTTP header x-mse-external-authz-check-result.

        • If the authentication service returns x-mse-external-authz-check-result=true in the response header, the token is valid or authenticated to access backend resources. In this case, the gateway forwards the original business request to the protected backend server. The backend server returns a response to the gateway, and then the gateway forwards the response to the client. The order placement is complete.

        • If the authentication service returns x-mse-external-authz-check-result=false in the response header, the token is invalid or is not authenticated to access backend resources. In this case, the gateway forwards the authentication response to the client. The order placement fails.

    Create a custom authentication service

    1. Log on to the MSE console.

    2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

    3. On the Gateways page, click the name of the gateway.

    4. In the left-side navigation pane, choose Security Management > Authentication.

    5. On the Global Authentication page, click Create Authentication. In the Create Authentication panel, configure the parameters and click OK.

      Parameter

      Description

      Authentication Name

      The name of the custom authentication service.

      Authentication Type

      Select Custom Authentication Service.

      Authentication Service

      The backend service that is used to verify tokens and permissions. You can add the service on the Service Management page. For more information about how to add a service, see Add a service.

      Note

      • Only HTTP services are supported. Services of other protocols such as Dubbo are not supported.

      • If a Kubernetes service has multiple ports, the first port is used by default. If you want to use another port, you need to create an additional Kubernetes service in a Container Service for Kubernetes (ACK) cluster and use only the desired port.

      Authentication API

      The path of the authentication API provided by the authentication service. The path supports the prefix match method.

      For example, if your authentication service is built based on Spring MVC and the path of the authentication API is /check, you must use the following configuration to process the request that contains the /check/** path.

      @RequestMapping("/check/**")
public ResponseEntity<RestResult<String>> check(){}

      Token Location

      The request header that contains the token. The Authorization or Cookie header can be used as the request header. You can select Drop-down List or Manual Input to specify the token location.

      The headers that can be carried in an authentication request.

      By default, the Host, Method, Path, and Content-Length headers from the business request sent by the client are contained in the authentication request. If you want the authentication request to contain other headers, you must configure this parameter.

      Note

      Allow Headers Include in Authentication Response

      If you need to add headers in the authentication response to the business request from a client, you must specify this parameter.

      Note

      If the headers you configure already exist in the business request, the header values are overwritten.

      Allow Include Body in Authentication Request

      If you select Allow Include Body in Authentication Request, the authentication request contains the body of the business request.

      Set Maximum Body Bytes to the maximum length of the business request body that can be contained in an authentication request. Unit: bytes.

      Timeout Period

      The maximum wait time for the authentication service to return results. Unit: seconds. Default value: 10 seconds.

      Mode

      Valid values: Loose Mode and Strict Mode. We recommend that you select Loose Mode.

      • Loose Mode: If the authentication service is unavailable when a connection to the authentication service fails to be established or a 5xx error code is returned, the gateway still accepts requests from the client.

      • Strict Mode: If the authentication service is unavailable when a connection to the authentication service fails to be established or a 5xx error code is returned, the gateway rejects requests from the client.

      Authorization

      The authorization method. Valid values: Whitelist and Blacklist.

      • Whitelist: Requests with the hostnames and paths that you specify in the whitelist do not require authentication. Other requests require authentication.

      • Blacklist: Only requests with the hostnames and paths that you specify in the blacklist require authentication. Other requests do not require authentication.

      Click + Rule Condition to configure domains, paths, and headers.

      • Domain Name: host domains that require access to the cloud-native gateway.

      • Path: paths that require access to the cloud-native gateway.

      • Path Match Condition: You can select Exact Match, Prefix Match, or Regular Expression Match.

        • Exact Match: enter a complete path. Example: /app/v1/order.

        • Prefix Match: enter the prefix of a path. You must add a wildcard character * in the end. For example, for all requests that start with /app, you must specify /app/*.

        • Regular Expression Match: Enter an expression that complies with the Google RE2 syntax. For more information, visit RE2 syntax.

        Case Sensitive: If you select this option, path values are case-sensitive.

      • Header: the header of the request. Click + Request Header to add multiple headers. The AND logic operator is applied to the request headers.

        • HeaderKey: the key of the header field.

        • Condition: the condition that is used to match requests that contain the specified header.

          • Equal To: If the value of a specific key in the header set is the same as the specified value, requests with the header set are matched.

          • Not Equal To: If the value of a specific key in the header set differs from the specified value, requests with the header set are matched.

          • Exists: If the specified value exists in the header set, requests with the header set are matched.

          • Do Not Exist: If the specified value does not exist in the header set, requests with the header set are matched.

          • Include: If the value of a specific key in the header set contains the specified value, requests with the header set are matched.

          • Exclude: If the value of a specific key in the header set does not contain the specified value, requests with the header set are matched.

          • Prefix: If the value of a specific key in the header set uses the specified value as the prefix, requests with the header set are matched.

          • Suffix: If the value of a specific key in the header set uses the specified value as the suffix, requests with the header set are matched.

          • Regular Expression: If the value of a specific key in the header set matches the specified regular expression, requests with the header set are matched. The regular expression complies with the Google RE2 syntax. For more information, see RE2 syntax.

        • Value: the value of the header field.

      Return to the Global Authentication page to view the authentication information. If the configured gateway authentication information is displayed, the custom gateway authentication rule is created.

    View and manage custom authentication services

    1. Log on to the MSE console.

    2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

    3. On the Gateways page, click the name of the gateway.

    4. In the left-side navigation pane, choose Security Management > Authentication.

    5. On the Global Authentication page, find the authentication rule that you want to query and click Details in the Actions column. On the page that appears, view information in the Basic Information and Authentication configuration sections and view and manage information in the Authorization Info section.

      image

      To create an authorization rule, click Create Authorization Info in the Authorization Info section. In the Create Authorization Info dialog box, configure the Request Host and Request Path parameters, select the match mode, and then click OK.

    What to do next

    You can perform the following operations on the authentication rules of a cloud-native gateway:

    • Enable an authentication rule: On the Global Authentication page, find the authentication rule that you want to manage and click Enable in the Actions column.

    • Disable an authentication rule: On the Global Authentication page, find the authentication rule that you want to manage and click Disable in the Actions column.

    • Modify an authentication rule: On the Global Authentication page, find the authentication rule that you want to manage and click Edit in the Actions column.

    • Delete an authentication rule: On the Global Authentication page, find the authentication rule that you want to manage and click Delete in the Actions column.

    Note

    You can modify or delete an authentication rule only if the authentication rule is disabled.