Creating a Frontend Custom Authorizer

Overview

To use your own API calling authentication system, create a custom authorizer.

Custom authorizers are classified into the following types:

• Frontend: ROMA Connect uses a custom authentication function to authenticate API requests.
• Backend: The backend service of an API uses a custom authentication function to authenticate requests forwarded by ROMA Connect.

This section describes how to create a frontend custom authorizer. Ensure that you have created a function backend before using it for a custom authorizer.

Creating a Function Backend for Frontend Authentication

1. Log in to the ROMA Connect console. On the Instances page, click View Console next to a specific instance.
2. In the navigation pane on the left, choose API Connect > Custom Backends. On the Backends tab page, click Create Backend.
3. On the Create Backend page, set backend parameters and click Create.
   • Backend Request Method must be set to POST.
   • The input parameters are not required. The function backend will obtain the values of the header and query parameters from API requests.
   • For details about the settings of other parameters, see Creating a Function API.

   After the backend is created, the online IDE page is automatically displayed.

4. Develop a function backend.

   In the upper left corner of the online IDE, choose File > Create Function Backend > Blank Template. In the dialog box displayed, click Yes. Compile a function script for security authentication and click Save.

   The function script used for frontend custom authentication must meet the following conditions:

   • For the request parameters obtained using the function script:
     • Header parameter: indicates the identity source parameter in Header defined in custom authentication. The parameter value is transferred from the API request that uses the frontend custom authentication. The called parameter in the function script is in the format of: body["headers"]["Parameter name"].
     • Query parameter: indicates the identity source parameter in Query defined in custom authentication. The parameter value is transferred from the API request that uses the frontend custom authentication. The called parameter in the function script is in the format of: body["queryStringParameters"]["Parameter name"].
     • Body parameter: user data defined when a custom authorizer is created. The format of calling the body parameter is body["user_data"].
     NOTE:

     During frontend custom authentication, the header and query parameters of API requests are placed in the headers and queryStringParameters parameters of the backend request body and transferred to the authentication function. Therefore, when the header and query parameters need to be called in a function script, the parameters need to be obtained from the backend request body. For details about the examples of headers and queryStringParameters in the backend request body, see Test Procedure Examples.

   • Response

     The response body cannot be greater than 1 MB. The response content must meet the following format:

     {
       "status": "allow/deny",
       "context": {
         "user": "abc"
       }
     }
     • status: identifies the authentication result. This field is mandatory. Only allow or deny is supported. allow indicates that the authentication is successful, and deny indicates that the authentication fails.
     • context: indicates the authentication response result. This field is mandatory. Only key-value pairs of the string type are supported. The key value does not support JSON objects or arrays.

       The data in the context is user-defined. After the authentication is successful, the data can be used as a system parameter (frontend authentication parameter) and mapped to the backend request parameter of the API. The system parameter name set in the API backend service must be the same as the parameter name in the context. The parameter name is case sensitive. The parameter name in context must start with a letter and contain 1 to 32 characters, including letters, digits, underscores (_), and hyphens (-).

   The following is an example of the Header parameter definition script:

   function execute(data){
     data=JSON.parse(data)
     body=data.body
     if(body["headers"]["test"]=='abc'){
       return{
         "status": "allow",
         "context": {
           "user": "abcd"
         }
       }
     }else{
       return{
         "status": "deny"
       }
     }
   }

   The following is an example of the Query parameter definition script:

   function execute(data){
     data=JSON.parse(data)
     body=data.body
     if(body["queryStringParameters"]["test"]=='abc'){
       return{
         "status": "allow",
         "context": {
           "user": "abcd"
         }
       }
     }else{
       return{
         "status": "deny"
       }
     }
   }

   The following is an example of the Body parameter definition script:

   function execute(data){
     data=JSON.parse(data)
     body=data.body
     if(body["user_data"]=='abc'){
       return{
         "status": "allow",
         "context": {
           "user": "abcd"
         }
       }
     }else{
       return{
         "status": "deny"
       }
     }
   }
5. Test the function backend.

   In the upper right corner of the page, click Test. In the Test Parameters area, add request parameters required for authentication based on the definition of the function backend and click Test to send the request. If the value of status in the test result is allow, the test is successful.

   In the Test Parameters area, set backend request parameters. The Header, Query, and Body authentication parameters must be set in the Body parameter of the backend request. Based on the preceding script examples, the following describes how to set the authentication parameters:

   • Header parameter

     {
       "headers":{
         "test":"abc"
       }
     }
   • Query parameter

     {
       "queryStringParameters":{
         "test":"abc"
       }
     }
   • Body parameter

     {
       "user_data": "abc"
     }
6. Deploy the function backend.

   After the backend test is complete, click Deploy in the upper right corner of the page. In the dialog box displayed, click Yes to deploy the function backend.

Creating a Frontend Custom Authorizer

Before creating a frontend custom authorizer, ensure that the function backend used for frontend custom authentication has been created. Otherwise, create a function backend first. For details, see Creating a Function Backend for Frontend Authentication.

1. Log in to the ROMA Connect console. On the Instances page, click View Console next to a specific instance.
2. In the navigation pane on the left, choose API Connect > API Management. On the Custom Authorizers tab page, click Create.
3. In the Create Custom Authorizer dialog box, configure custom authorizer information and click Create.

   Table 1 Parameters for creating a frontend custom authorizer

   Parameter	Description
   Name	Enter a custom authorizer name. It is recommended that you enter a name based on naming rules to facilitate search.
   Type	Select Frontend.
   Integration Application	Select an integration application for the custom authorizer.
   Function URN	Select a function backend for frontend custom authentication. Only function backends in the Deployed state can be selected.
   Identity Sources	Add header or query request parameters used for authentication. If the value of Cache Duration is not 0, a request parameter must be added. When the authentication result is cached, this parameter is used as the cache index of the authentication result.
   Max. Cache Age (s)	Set the time for caching authentication results. Value 0 means that authentication results will not be cached. The maximum value is 3600.
   Send Request Body	Determine whether to send the API request body to the authentication function.
   User Data	Enter custom parameters, which will be used together with Identity Sources for request authentication.