JSON Web Token (JWT) is used to securely transmit information between a client and a server in the form of JSON objects. The transmitted information can be verified and trusted because the JWT can be signed by using the hash-based message authentication code (HMAC) algorithm or a public/private key pair of the Rivest-Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) algorithm. You can use JWTs to authenticate users and perform access control.
Prerequisites
You have a basic understanding of JWT. For more information, see Introduction to JSON Web Tokens.
You have an understanding of how your authorization service is integrated with a cloud-native gateway. Tokens are issued by the authorization service to ensure security, and a public key is configured for the cloud-native gateway to validate tokens.
The private key and public key are prepared. The private key is used by the authorization service to issue tokens. The public key is used by the cloud-native gateway to validate the tokens contained in requests.
Background information
To provide a systematic security solution for cloud users, cloud-native gateways provide a mechanism for authorized access to your APIs based on JWTs. You can use this mechanism to customize security settings.
Token-based authentication
Cloud-native gateways verify the identities of requesters who make API calls and determine whether to return requested resources to the requesters. Tokens are used for identity authentication. When tokens are used, applications do not need to retain user authentication information or session information on the server side. This implements stateless and distributed web application authorization and facilitates application extension.
Supported integration method
Create an authentication rule
Log on to the MSE console.
In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.
On the Gateways page, click the name of the gateway.
In the left-side navigation pane, choose Security Management > Global Authentication.
In the upper-left corner of the Global Authentication page, click Create Authentication. In the Create Authentication panel, configure the parameters and click OK.
Parameter
Description
Authentication Name
Enter a name for the authentication.
Authentication Type
Select an authentication type. By default, JWT is selected.
Issuer
Enter the issuer of JWT claims.
Sub
Enter the subject of JWT claims.
JWKS
Enter the JWT public key. Example:
{ "keys":[ { "e":"AQAB", "kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ", "kty":"RSA", "n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX- P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2 He95lZdHtOcU5DXIg_pbhLdKXbi66Gl VeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw- 4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSG ZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZ PYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3D RrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ" } ] }JWT Token
Configure the JWT tokens.
Type: The type of tokens. This parameter is set to HEADER by default.
Key: The name of the request header in which each token is stored.
Prefix: the prefix of the token. Configure the parameters that are required to verify each token. By default, each token is prefixed with Bearer and stored in the Authorization header, for example,
Authorization: Bearer <Content of a token>.Enable Passthrough: If you select this option, tokens are passed to the backend service.
Authorization
The authorization method. Valid values: Whitelist and Blacklist.
Whitelist: Only requests with the host domain names and paths that you specify in the whitelist can access the cloud-native gateway without authentication.
Blacklist: Only requests with the host domain names and paths that you specify in the blacklist require authentication.
Click + Rule Condition to add host domain names and paths.
Domain Name: the host domain names that require access to the cloud-native gateway.
Path: the paths that require access to the cloud-native gateway.
View the details of an authentication rule
Log on to the MSE console.
In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.
On the Gateways page, click the name of the gateway.
In the left-side navigation pane, choose Security Management > Global Authentication.
On the Global Authentication page, find the authentication rule that you want to query and click Details in the Actions column. On the page that appears, you can view information in the Basic Information and Authentication Configuration sections and view and manage information in the Authorization Information section.
To create an authorization rule, click Add Authorization Information in the Authorization Information section. In the Add Authorization Information dialog box, configure the Request Domain Name and Request Path parameters.
Verify the result
Go to the Global Authentication page. If the authentication rule is created, the rule is displayed on the Global Authentication page.
What to do next
You can perform the following operations on the authentication rules of a cloud-native gateway:
Enable an authentication rule: On the Global Authentication page, find the authentication rule that you want to manage and click Enable in the Actions column.
Disable an authentication rule: On the Global Authentication page, find the authentication rule that you want to manage and click Disable in the Actions column.
Modify an authentication rule: On the Global Authentication page, find the authentication rule that you want to manage and click Edit in the Actions column.
Delete an authentication rule: On the Global Authentication page, find the authentication rule that you want to manage and click Delete in the Actions column.
You can delete an authentication rule only if the authentication rule is disabled.
References
For more information about other authentication mechanisms, see Gateway authentication overview.