Esta página aún no está disponible en su idioma local. Estamos trabajando arduamente para agregar más versiones de idiomas. Gracias por tu apoyo.
- What's New
- Function Overview
- Product Bulletin
- Service Overview
- Getting Started
-
User Guide
- Overview
- Gateway Management
- API Group Management
- API Management
- Request Throttling
- Access Control
- Environment Management
- Signature Key Management
- VPC Channel Management
- Custom Authorizers
- Plug-ins
- Monitoring
- App Management
- Log Analysis
- SDKs
- Calling Published APIs
- Permissions Management
- Key Operations Recorded by CTS
-
Developer Guide
- Overview
- Authentication Mode Selection
- Calling APIs Through App Authentication
- Calling APIs Through IAM Authentication
- Creating a Function for Frontend Custom Authentication
- Creating a Function for Backend Custom Authentication
- Creating Signatures for Backend Requests
-
Importing and Exporting APIs
- Restrictions and Compatibility
- Extended Definition
- API Import Precautions
- Examples of Importing APIs
- API Export Precautions
-
API Reference
- Before You Start
- Calling APIs
-
Dedicated Gateway APIs (V2)
- API Group Management
- Environment Management
- Environment Variable Management
- Request Throttling Policy Management
-
API Management
- Registering an API
- Modifying an API
- Deleting an API
- Publishing an API or Taking an API Offline
- Querying API Details
- Querying APIs
- Debugging an API
- Publishing APIs or Taking APIs Offline
- Querying Historical Versions of an API
- Switching the Version of an API
- Querying the Runtime Definition of an API
- Querying API Version Details
- Taking an API Version Offline
- Signature Key Management
- Binding/Unbinding Signature Keys
- Binding/Unbinding Request Throttling Policies
- Excluded Request Throttling Configuration
- App Authorization Management
- Resource Query
- App Management
- Domain Name Management
- Access Control Policy Management
- Binding/Unbinding Access Control Policies
- Custom Authorizer Management
- API Import and Export
- VPC Channel Management
- Monitoring Information Query
- Group Response Management
- Tag Management
- Gateway Feature Management
- Configuration Management
-
Gateway Management
- Creating a Dedicated Gateway
- Querying Dedicated Gateway Details
- Updating a Dedicated Gateway
- Querying the Creation Progress of a Dedicated Gateway
- Updating or Binding an EIP to a Dedicated Gateway
- Unbinding the EIP of a Dedicated Gateway
- Enabling Public Access for a Dedicated Gateway
- Updating the Outbound Access Bandwidth of a Dedicated Gateway
- Disabling Public Access for a Dedicated Gateway
- Querying AZs
- Querying Dedicated Gateways
- Deleting a Dedicated Gateway
- Permissions Policies and Supported Actions
- Appendix
- Change History
- SDK Reference
- Best Practices
-
FAQs
- Common FAQs
-
API Creation
- Why Can't I Create APIs?
- How Do I Define Response Codes for an API?
- How Do I Specify the Host Port for a VPC Channel (or Load Balance Channel)?
- How Do I Set the Backend Address If I Will Not Use a VPC Channel (or Load Balance Channel)?
- How Can I Configure the Backend Service Address?
- Can I Specify a Private Network Load Balancer Address for the Backend Service?
- Can I Specify the Backend Address as a Subnet IP Address?
- Does APIG Support Multiple Backend Endpoints?
- What Should I Do After Applying for an Independent Domain Name?
- Can I Bind Private Domain Names for API Access?
- Why Does an API Failed to Be Called Across Domains?
-
API Calling
- What Are the Possible Causes for an API Calling Failure?
- What Should I Do If an Error Code Is Returned During API Calling?
- Why Am I Seeing the Error Message "414 Request-URI Too Large" When I Call an API?
- What Should I Do If "The API does not exist or has not been published in the environment." Is Displayed?
- Why Am I Seeing the Message "No backend available"?
- What Are the Possible Causes If the Message "Backend unavailable" or "Backend timeout" Is Displayed?
- Why Am I Seeing the Message "Backend domain name resolution failed" When a Backend Service Is Called?
- Why Doesn't Modification of the backend_timeout Parameter Take Effect?
- How Do I Switch the Environment for API Calling?
- What Is the Maximum Size of an API Request Package?
- How Do I Perform App Authentication in iOS System?
- Why Can't I Create a Header Parameter Named x-auth-token for an API Called Through IAM Authentication?
- App FAQs
- Can Mobile Apps Call APIs?
- Can Applications Deployed in a VPC Call APIs?
- How Do I Implement WebSocket Data Transmission?
- Does APIG Support Persistent Connections?
- How Will the Requests for an API with Multiple Backend Policies Be Matched and Executed?
- Is There a Limit on the Size of the Response to an API Request?
- How Can I Access Backend Services over Public Networks Through APIG?
-
API Authentication
- Does APIG Support HTTPS Two-Way Authentication?
- How Do I Call an API That Does Not Require Authentication?
- Which TLS Versions Does APIG Support?
- Does APIG Support Custom Authentication?
- Will the Request Body Be Signed for Security Authentication?
- Common Errors Related to IAM Authentication Information
- API Control Policies
- API Publishing
- API Import and Export
- API Security
-
Other FAQs
- What Are the Relationships Between an API, Environment, and App?
- How Can I Use APIG?
- What SDK Languages Does APIG Support?
- Can I Upload Files Using the POST Method?
- What Are the Error Messages Returned by APIG Like?
- How Do I Use APIG to Open Up Services Deployed on Huawei Cloud?
- Can APIG Be Deployed in a Local Data Center?
- Videos
Creating a Function for Backend Custom Authentication
Scenarios
To protect backend services, you can use multiple external authentication systems by configuring one authentication mechanism. You need to create a FunctionGraph function for backend custom authentication and define the required authentication information in the function. The function then serves as a custom authentication backend to authenticate requests forwarded by APIG.
The following figure shows the process of calling APIs using custom authentication.
FunctionGraph is required for custom authorizers. If FunctionGraph is unavailable in the selected region, custom authorizers are not supported.
Procedure
- Create a function in FunctionGraph.
The function code must meet the following requirements (Python 2.7 is used as an example):
- The custom user data contained in the function code must be in the following format: event["user_data"].
- The custom user data corresponds to the user data defined for the custom authorizer. You can define the user data in any format.
- The response of the function cannot be greater than 1 MB and must be displayed in the following format:
{ "statusCode":200, "body": "{\"status\": \"allow\", \"context\": {\"user\": \"abc\"}}" }
The body field is a character string, which is JSON-decoded as follows:
{ "status": "allow/deny", "context": { "user": "abc" } }
The status field is mandatory and is used to identify the authentication result. The authentication result can only be allow or deny. allow indicates that the authentication is successful, and deny indicates that the authentication fails.
The context field is optional and can only be key-value pairs. The key value cannot be a JSON object or an array.
The context field contains custom user data. After successful authentication, the user data is mapped to the backend parameters. The parameter name in context is case-sensitive and must be the same as the system parameter name. The parameter name in context must start with a letter and contain 1 to 32 characters, including uppercase letters, lowercase letters, digits, underscores (_), and hyphens (-).
After successful backend authentication, the value abc of user in context is mapped to the test parameter in the Header location of backend requests and passed to the backend service.
Figure 3 Mapping between authentication parameters and backend parameters
Example user data:
# -*- coding:utf-8 -*- import json import base64 def handler(event, context): exampleuserdata=base64.b64encode(event["user_data"]) resp = { 'statusCode': 200, 'body': json.dumps({ "status":"allow", "context":{ "user":exampleuserdata } }) } return json.dumps(resp)
- Test the function. In the Configure Test Event dialog box, select blank-template, and set the following test event:
{"user_data": "123"}
Click Save. Then click Test.
If the execution result is Success, the test is successful.
Next, you need to go to the APIG console to create a backend custom authorizer.
Follow-Up Operations
Create a custom authorizer for backend authentication on the APIG console.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.