All Products
Search

This Product

    Microservices Engine:edas-service-auth

    Document Center

    Microservices Engine:edas-service-auth

    Last Updated:Aug 12, 2024

    edas-service-auth is a service authentication plug-in that is provided by Enterprise Distributed Application Service (EDAS). edas-service-auth adds authentication information to call requests from a Microservices Engine (MSE) cloud-native gateway to EDAS applications. The authentication information helps implement access control on specific microservice applications. This topic describes how to configure the edas-service-auth plug-in.

    Description

    If a whitelist for service authentication is configured for microservices in the EDAS console, EDAS performs identity authentication on requests from cloud-native gateways. Before your cloud-native gateway calls the EDAS microservices, you must add your cloud-native gateway to the whitelist. Otherwise, the HTTP status code 403 is returned. If service authentication is configured for microservices for protection against replay attacks in the EDAS console, EDAS performs timeout control and signature verification on requests from cloud-native gateways. If the requests time out or signature verification fails, the HTTP status code 403 is returned. For more information, see Implement access control on Spring Cloud applications by using service authentication.

    Plug-in type

    Authentication plug-in.

    Fields

    Authentication configuration

    Name

    Data type

    Required

    Default value

    Description

    instanceId

    string

    Yes

    -

    The ID of the gateway. The ID must start with gw- and is contained in request headers to specify gateway identity information.

    enableAntiReplay

    bool

    Yes

    false

    The anti-replay switch. If this parameter is set to true, the timestamp and hash-based message authentication code (HMAC) signature are added to request headers for anti-replay verification.

    Configuration examples

    # The ID of the gateway.
instanceId: gw-xxxxxxxxxx
# Enable anti-replay.
enableAntiReplay: true

    After the edas-service-auth plug-in is configured and enabled, requests that contain the following headers from gateways are allowed: 

    __micro.service.mse.gateway.id__:gw-xxxxxxxxxx # The ID of the gateway, which must be the same as the value of the instanceId parameter.
__micro.service.timestamp__:1676362179999 # The timestamp in milliseconds when the request was initiated.
__micro.service.signature__:7bTXDwgHsIcz0c3ddAzzo1Pmzf + O07iOeGTque6OYbo= # The signature key.
__micro.service.secretkey__:fKiokSbOSbISFgjDxwRCUuOerBDguCXq # The generated signature.