Third-Party Authorizer

You can configure your own service to authenticate API requests. APIG first invokes this service for authentication, and then invokes the backend service after receiving a success response.

Note

If your gateway does not support this policy, contact technical support to upgrade the gateway to the latest version.

The following figure shows the principle of third-party authentication. After binding a third-party authentication policy to an API, call the API by referring to Calling APIs.

image1

Prerequisites

You have understood the guidelines for policy creation and API binding.

Configuration Parameters

Table 1 Configuration parameters

Parameter

Description

Load Balance Channel

Whether to connect a third-party authentication service using a load balance channel.

Backend URL

  • Method

    GET, POST, PUT, and HEAD are supported.

  • Protocol

    HTTP or HTTPS. HTTPS is recommended for transmitting important or sensitive data.

  • Load Balance Channel (if applicable)

    Set this parameter only if a load balance channel is used. Select a load balance channel. If no required channel is available, click Create Load Balance Channel to create one.

  • Backend Address (if applicable)

    Set this parameter if no load balance channel is used.

    Enter the access address of the authentication service in the format of Host:Port. Host indicates the IP address or domain name for accessing the authentication service. If no port is specified, ports 80 and 443 are used by default for HTTP and HTTPS, respectively.

    Note

    Only IPv4 addresses are supported.

  • Path

    Path (URL) of the authentication service.

Timeout (ms)

Timeout of the authentication service. It cannot exceed the max. timeout of the backend service. View the timeout limit on the Parameters tab of the gateway details page.

Host Header

Set this parameter only if a load balance channel is used.

Define a host header for requests to be sent to cloud servers associated with the load balance channel. By default, the original host header in each request is used.

Brute Force Threshold

IP addresses whose number of third-party authentication failure attempts within 5 minutes exceeds this threshold will be blocked. They will be unblocked after 5 minutes.

For example, if an IP address has failed third-party authentication more than the configured threshold in the third minute, the address is blocked, and will be unblocked after 2 minutes.

Identity Sources

Parameters to obtain from the original API requests for third-party authentication. Max. 10 headers and 10 query strings. If not specified, all headers and query strings in the original requests will be used.

Relaxed Mode

When this option is enabled, APIG accepts client requests even when your authentication service cannot connect or returns an error code starting with "5".

Allow Original Request Body

When this option is enabled, the original request body is included for authentication.

Request Body Size (bytes)

Available only when Allow Original Request Body is enabled.

The value cannot exceed the max. request body size of the gateway. View the request body size limit on the Parameters tab of the gateway details page.

Allow Original Request Path

When this option is enabled, the original request path is added to the end of the authentication request path.

Return Response

When this option is enabled, the authentication response is returned on failure.

Allowed Response Headers

Headers to obtain from the authentication response and send to the backend service, when the authentication is successful.

Max. 10 headers.

Simple Authentication

When this option is enabled, status codes starting with "2" indicate successful authentication.

Authentication Result

Available only when Simple Authentication is disabled.

Responses whose headers contain these parameters with the same values indicate successful authentication.

Blacklist/Whitelist

When this option is enabled, whether API requests require third-party authentication depends on the configured blacklist or whitelist rules.

Type

  • Whitelist

    API requests matching the whitelist rules do not require third-party authentication.

  • Blacklist

    API requests matching the blacklist rules require third-party authentication.

Parameters

Define parameters for rule matching.

  • Parameter Location: the location of a parameter used for rule matching.

    • path: API request URI. This parameter is configured by default.

    • method: API request method. This parameter is configured by default.

    • header: the key of a request header.

    • query: the key of a query string.

    • system: a system parameter.

  • Parameter: the name of a parameter to match the specified value in a rule.

Rules

Define conditions for rule matching.

Click Add Rule and edit the rule name and conditions. In the Condition Expressions dialog box, select a parameter and operator, and enter a value.

  • =: equal to

  • !=: not equal to

  • pattern: regular expression

  • enum: enumerated values. Separate them with commas (,).

Example Script

{
  "auth_request": {
    "method": "GET",
    "protocol": "HTTPS",
    "url_domain": "192.168.10.10",
    "timeout": 5000,
    "path": "/",
    "vpc_channel_enabled": false,
    "vpc_channel_info": null
  },
  "custom_forbid_limit": 100,
  "carry_body": {
    "enabled": true,
    "max_body_size": 1000
  },
  "auth_downgrade_enabled": true,
  "carry_path_enabled": true,
  "return_resp_body_enabled": false,
  "carry_resp_headers": [],
  "simple_auth_mode_enabled": true,
  "match_auth": null,
  "rule_enabled": false,
  "rule_type": "allow"
}