JSON Web Token (JWT) is used to securely transmit information between a client and a server in the form of JSON objects. The transmitted information can be verified and trusted because the JWT can be signed by using the hash-based message authentication code (HMAC) algorithm or a public/private key pair of the Rivest-Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) algorithm. You can use JWTs to authenticate users and perform access control.
Prerequisites
You have a basic understanding of JWT. For more information, see Introduction to JSON Web Tokens.
You have an understanding of how your authorization service is integrated with Cloud-native API Gateway. Tokens are issued by the authorization service to ensure security, and a public key is configured for your gateway instance to validate tokens.
A private key and a public key are prepared. The private key is used by the authorization service to issue tokens. The public key is used by the gateway instance to validate the tokens contained in requests.
Background information
To provide a systematic security solution for cloud users, Cloud-native API Gateway provides a mechanism for authorized access to your APIs based on JWTs. You can use this mechanism to customize security settings.
Token-based authentication
Cloud-native API Gateway verifies the identities of API callers and determine whether to return requested resources to them. Tokens are used for identity authentication. When tokens are used, applications do not need to retain user authentication information or session information on the server side. This implements stateless and distributed web application authorization and facilitates application extension.
Supported integration method
Create an authentication rule
Log on to the Cloud-native API Gateway console.
In the left-side navigation pane, click Instance. In the top navigation bar, select a region.
On the Instance page, click the name of the gateway instance that you want to manage.
In the left-side navigation tree, choose .
In the upper-left corner of the Global Authentication page, click Create Authentication. In the Create Authentication panel, configure the parameters and click OK.
Parameter
Description
Enable
Specify whether to enable authentication.
Authentication Name
Enter a name for the custom authentication service.
Authentication Type
Select an authentication type. By default, JWT is selected.
Issuer
Enter an issuer for JWT claims.
Sub
Enter a subject of JWT claims.
JWKS
Enter the JWT public key. Example:
{ "keys":[ { "e":"AQAB", "kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ", "kty":"RSA", "n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX- P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2 He95lZdHtOcU5DXIg_pbhLdKXbi66Gl VeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw- 4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSG ZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZ PYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3D RrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ" } ] }JWT Token
Configure the JWT tokens.
Type: The type of tokens. This parameter is fixed to HEADER.
Key: The name of the request header in which each token is stored.
Prefix: the prefix of the token. Configure the parameters that are required to verify each token. By default, each token is prefixed with Bearer and stored in the Authorization header, for example,
Authorization: Bearer <Content of a token>.Enable Passthrough: If you select this option, tokens are passed to the backend service.
Authorization
The authorization method. Valid values: Whitelist and Blacklist.
Whitelist: Only requests with the host domain names and paths that you specify in the whitelist can access the gateway instance without authentication.
Blacklist: Only requests with the host domain names and paths that you specify in the blacklist require authentication.
Click + Rule Condition to add host domain names and paths.
Domain Name: the host domain names that require access to the gateway instance.
Path: the paths that require access to the gateway instance.
View the details of an authentication rule
Log on to the Cloud-native API Gateway console.
In the left-side navigation pane, click Instance. In the top navigation bar, select a region.
On the Instance page, click the name of the gateway instance that you want to manage.
In the left-side navigation tree, choose .
On the Global Authentication page, find the authentication rule that you want to query and click Details in the Actions column. On the page that appears, you can view information in the Basic Information and Authentication Configuration sections and view and manage information in the Authorization Information section.
To create an authorization rule, click Add Authorization Information in the Authorization Information section. In the Add Authorization Information dialog box, configure the Request Domain Name and Request Path parameters.
Verify the result
Go to the Global Authentication page. If the authentication rule is displayed on the Global Authentication page, the rule is created.
What to do next
You can perform the following operations on the authentication rules of a gateway instance:
Enable an authentication rule: On the Global Authentication page, find the authentication rule that you want to manage and click Enable in the Actions column.
Disable an authentication rule: On the Global Authentication page, find the authentication rule that you want to manage and click Disable in the Actions column.
Modify an authentication rule: On the Global Authentication page, find the authentication rule that you want to manage and click Edit in the Actions column.
Delete an authentication rule: On the Global Authentication page, find the authentication rule that you want to manage and click Delete in the Actions column.
Only disabled authentication rules can be deleted.
References
For more information about other authentication mechanisms, see Overview.