Creating a Backend Custom Authorizer
Overview
If you need to use your own authentication system for authenticating backend service requests, you can create a custom authorizer.
Custom authorizers are classified into the following types:
- Frontend custom authorizer: ROMA Connect uses a custom authentication function to authenticating received API requests.
- Backend custom authorizer: The backend service of an API uses a custom authentication function to authenticating backend service requests forwarded by ROMA Connect.
This section describes how to create a backend custom authorizer. You need to create a function backend as the authentication function, and use the function backend as the authentication backend in custom authentication.
Creating a Function Backend for Backend Authentication
- Log in to the ROMA Connect console. On the Instances page, click View Console next to a specific instance.
- In the navigation pane on the left, choose API Connect > Custom Backend. On the Backends tab page, click Create.
- On the Create Backend page, set backend parameters and click Create.
- Backend Request Method must be set to POST.
- You do not need to set input parameters. The Header and Query parameters are invalid in the function backend used for backend custom authentication.
- For details about the settings of other parameters, see Creating a Function API.
After the backend is created, the online IDE page is automatically displayed.
- Develop a function backend.
In the upper left corner of the online IDE, choose File > Create Function Backend > Blank Template. In the dialog box displayed, click Yes. Compile a function script for security authentication and click Save.
The function script used for backend custom authentication must meet the following conditions:
- For the request parameters invoked using the function script:
Body parameter: indicates the user data defined in a custom authorizer. The parameter value is specified when a custom authorizer is created. The format of the invoked parameter in the function script is as follows: body["user_data"].
- For the response message defined by the function script:
The response body cannot be greater than 1 MB. The response content must meet the following format:
{ "status": "allow/deny", "context": { "user": "abc" } }
- status: identifies the authentication result. This field is mandatory. Only allow or deny is supported. allow indicates that the authentication is successful, and deny indicates that the authentication fails.
- context: indicates the authentication response result. This field is mandatory. Only key-value pairs of the string type are supported. The key value does not support JSON objects or arrays.
The data in the context is user-defined. After the authentication is successful, the data can be used as a system parameter (backend authentication parameter) and mapped to the backend request parameter of the API. The system parameter name set in the API backend service must be the same as the parameter name in the context. The parameter name is case sensitive. The parameter name in context must start with a letter and contain 1 to 32 characters, including letters, digits, underscores (_), and hyphens (-).
The following is an example of the user data definition script:
function execute(data){ data=JSON.parse(data) body=data.body if(body["user_data"]=='abc'){ return{ "status": "allow", "context": { "user": "abcd" } } }else{ return{ "status": "deny" } } }
- For the request parameters invoked using the function script:
- Test the function backend.
In the upper right corner of the page, click Test. In the Test Parameters area, add request parameters required for authentication based on the definition of the function backend and click Test to send the request.
The user data definition script example in the preceding step is used as an example. You need to enter the request content {"user_data": "abc"} in the Body parameter as the authentication parameter of the backend request.
If the value of status in the test result is allow, the test is successful.
- Deploy the function backend.
After the backend test is complete, click Deploy in the upper right corner of the page. In the dialog box displayed, click Yes to deploy the function backend.
Creating a Backend Custom Authorizer
Before creating a backend custom authorizer, ensure that the function backend used for backend custom authentication has been created. Otherwise, create a function API first. For details, see Creating a Function Backend for Backend Authentication.
- Log in to the ROMA Connect console. On the Instances page, click View Console next to a specific instance.
- In the navigation pane on the left, choose API Connect > API Management. On the Custom Authorizers tab page, click Create.
- In the Create Custom Authorizer dialog box, configure custom authorizer information and click Create.
Table 1 Parameters for creating a backend custom authorizer Parameter
Description
Name
Enter a custom authorizer name. It is recommended that you enter a name based on naming rules to facilitate search.
Type
Select Backend.
Integration Application
Select the integration application to which the custom authorizer belongs.
Function URN
Select the function backend used for backend custom authentication. Only function backends in the Deployed state can be selected.
Cache Duration (s)
Enter the cache time of the authentication result. If it is set to 0, the authentication result is not cached. The maximum cache duration can be set to 3600 seconds.
Send Request Body
Determine whether to send the API request body to the authentication function.
User Data
Enter the user-defined authentication request parameter.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot