Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Third-Party Authorizer

Updated on 2025-01-24 GMT+08:00

You can configure your own service to authenticate API requests. APIG first invokes this service for authentication, and then invokes the backend service after receiving a success response.

NOTE:

If your gateway does not support this policy, submit a service ticket to upgrade the gateway to the latest version.

The following figure shows the principle of third-party authentication. After binding a third-party authentication policy to an API, call the API by referring to Calling an Open API.

Prerequisites

  • An API can be bound with only one third-party authorizer policy for a given environment, but each third-party authorizer policy can be bound to multiple APIs.
  • Policies are independent of APIs. A policy takes effect for an API only after they are bound to each other. When binding a policy to an API, you must specify an environment where the API has been published. The policy takes effect for the API only in the specified environment.
  • After you bind a policy to an API, unbind the policy from the API, or update the policy, you do not need to publish the API again.
  • Taking an API offline does not affect the policies bound to it. The policies are still bound to the API if the API is published again.
  • Policies that have been bound to APIs cannot be deleted.

Creating a Third-Party Authorizer

  1. Go to the APIG console.
  2. Select a dedicated gateway at the top of the navigation pane.
  1. In the navigation pane, choose API Management > API Policies.
  2. On the Policies tab, click Create Policy.
  3. In the Select Policy Type box, select Third-Party Authorizer in the Plug-ins area.
  4. Set the policy information based on the following table.

    Table 1 Third-party authorizer parameters

    Parameter

    Description

    Name

    Enter a policy name. Using naming rules facilitates future search.

    It can contain 3 to 255 characters and must start with a letter. Only letters, digits, and underscores (_) are allowed.

    Type

    Fixed as Third-Party Authorizer.

    Description

    Description about the plug-in. Enter 1 to 255 characters.

    Policy Content

    Content of the plug-in, which can be configured in a form or using a script.

    Load Balance Channel

    Whether to connect a third-party authentication service using a load balance channel.

    Backend URL

    • Method

      GET, POST, PUT, and HEAD are supported.

    • Protocol

      HTTP or HTTPS. HTTPS is recommended for transmitting important or sensitive data.

    • Load Balance Channel (if applicable)

      Set this parameter only if a load balance channel is used. Select a load balance channel. If no required channel is available, click Create Load Balance Channel to create one.

    • Backend Address (if applicable)

      Set this parameter if no load balance channel is used.

      Enter the access address of the authentication service in the format of Host:Port. Host indicates the IP address or domain name for accessing the authentication service. If no port is specified, ports 80 and 443 are used by default for HTTP and HTTPS, respectively.

      Only IPv4 addresses are supported.

    • Path

      Path (URL) of the authentication service.

    Timeout (ms)

    Timeout of the authentication service. It cannot exceed the max. timeout of the backend service. View the timeout limit on the Parameters tab of the gateway details page.

    Host Header

    Set this parameter only if a load balance channel is used.

    Host header field in the backend service request. By default, the original host header in each request is used.

    Brute Force Threshold

    IP addresses whose number of third-party authentication failure attempts within 5 minutes exceeds this threshold will be blocked. They will be unblocked after 5 minutes.

    For example, if an IP address has failed third-party authentication more than the configured threshold in the third minute, the address is blocked, and will be unblocked after 2 minutes.

    Identity Sources

    Parameters to obtain from the original API requests for third-party authentication. Max. 10 headers and 10 query strings. If not specified, all headers and query strings in the original requests will be used.

    Relaxed Mode

    When this option is enabled, APIG accepts client requests even when your authentication service cannot connect or returns an error code starting with "5".

    Allow Original Request Body

    When this option is enabled, the original request body is included for authentication.

    Request Body Size (bytes)

    Available only when Allow Original Request Body is enabled.

    The value cannot exceed the max. request body size of the gateway. View the request body size limit on the Parameters tab of the gateway details page.

    Allow Original Request Path

    When this option is enabled, the original request path is added to the end of the authentication request path.

    Return Response

    When this option is enabled, the authentication response is returned on failure.

    Allowed Response Headers

    Headers to obtain from the authentication response and send to the backend service, when the authentication is successful.

    Max. 10 headers.

    Simple Authentication

    When this option is enabled, status codes starting with "2" indicate successful authentication.

    Authentication Result

    Available only when Simple Authentication is disabled.

    Responses whose headers contain these parameters with the same values indicate successful authentication.

    Blacklist/Whitelist

    When this option is enabled, whether API requests require third-party authentication depends on the configured blacklist or whitelist rules.

    Type

    • Whitelist

      API requests matching the whitelist rules do not require third-party authentication.

    • Blacklist

      API requests matching the blacklist rules require third-party authentication.

    Parameters

    Define parameters for rule matching. For security purposes, do not include sensitive information in these parameters.

    • Parameter Location: the location of a parameter used for rule matching.
      • path: API request URI. This parameter is configured by default.
      • method: API request method. This parameter is configured by default.
      • header: the key of a request header.
      • query: the key of a query string.
      • system: a system parameter.
    • Parameter: the name of a parameter to match the specified value in a rule.

    Rules

    Define conditions for rule matching.

    Click Add Rule and edit the rule name and conditions. In the Condition Expressions dialog box, select a parameter and operator, and enter a value. For security purposes, do not include sensitive information in these parameters.

    • =: equal to
    • !=: not equal to
    • pattern: regular expression
    • enum: enumerated values. Separate them with commas (,).

  5. Click OK.

    To clone this policy, click Clone in the Operation column. The name of a cloned policy cannot be the same as that of any existing policy.

  6. After the policy is created, perform the operations described in Binding the Policy to APIs to apply the policy for the API.

Example Script

{
  "auth_request": {
    "method": "GET",
    "protocol": "HTTPS",
    "url_domain": "192.168.10.10",
    "timeout": 5000,
    "path": "/",
    "vpc_channel_enabled": false,
    "vpc_channel_info": null
  },
  "custom_forbid_limit": 100,
  "carry_body": {
    "enabled": true,
    "max_body_size": 1000
  },
  "auth_downgrade_enabled": true,
  "carry_path_enabled": true,
  "return_resp_body_enabled": false,
  "carry_resp_headers": [],
  "simple_auth_mode_enabled": true,
  "match_auth": null,
  "rule_enabled": false,
  "rule_type": "allow"
}

Binding the Policy to APIs

  1. Click the policy name to go to the policy details page.
  2. Select an environment and click Select APIs.
  3. Select the API group, environment, and required APIs.

    APIs can be filtered by API name or tag. The tag is defined during API creation.

  4. Click OK.

    • If an API no longer needs this policy, click Unbind in the row that contains the API.
    • If there are multiple APIs that no longer need this policy, select these APIs, and click Unbind above the API list. You can unbind a policy from a maximum of 1000 APIs at a time.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback