Custom Authorizers
APIG supports custom authentication of both frontend and backend requests.
- Frontend custom authentication: If you already have an authentication system, you can configure it in a function and then create a custom authorizer by using the function to authenticate API requests.
- Backend custom authentication: You can create a custom authorizer to authenticate requests for different backend services, eliminating the need to customize APIs for different authentication systems and simplifying API development. You only need to create a function-based custom authorizer in APIG to connect to your backend authentication system.
Custom authentication is implemented using FunctionGraph and not supported if FunctionGraph is unavailable in the selected region.
For details about custom authentication, see the API Gateway Developer Guide.
The following figure shows the process of calling APIs through custom authentication.
Prerequisites
You have created a function in FunctionGraph.
Creating a Custom Authorizer
- Go to the APIG console.
- Select a dedicated gateway at the top of the navigation pane.
- In the navigation pane, choose API Management > API Policies.
- On the Custom Authorizers page, click Create Custom Authorizer.
Configure custom authorizer parameters.
Table 1 Parameters for creating a custom authorizer Parameter
Description
Name
Authorizer name.
Type
- Frontend: Authenticates access to APIs.
- Backend: Authenticates access to backend services.
Function URN
Select a FunctionGraph function.
Version/Alias
Select a function version or alias. For details, see FunctionGraph User Guide.
Max. Cache Age (s)
The time for caching authentication results.
The value ranges from 0s to 3,600s. 0 indicates that authentication results will not be cached.
Relaxed Mode
When this option is enabled, APIG accepts client requests even when FunctionGraph cannot connect or returns an error code starting with "5". If there is a retry request, the last returned result is used.
When this option is enabled, if a custom authorizer is used for backend authentication of an API, the value of the backend authentication parameter is empty.
The relaxed mode has security risks. Therefore, exercise caution when selecting this mode.
Identity Sources
Request parameters used for authentication.
This parameter is mandatory only if you set Type to Frontend, and Max. Cache Age (s) is greater than 0. When the cache is used, this parameter is used as a search criterion to query authentication results.
Send Request Body
Determine whether to send the body of each API request to the authentication function. If you enable this option, the request body will be sent to the authentication function in the same way as the headers and query strings.
User Data
Customized request parameters to be used together with Identity Sources when APIG invokes a function.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
