El contenido no se encuentra disponible en el idioma seleccionado. Estamos trabajando continuamente para agregar más idiomas. Gracias por su apoyo.

Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Third-Party Authorizer

Updated on 2024-08-07 GMT+08:00

You can configure your own service to authenticate API requests. APIG first invokes this service for authentication, and then invokes the backend service after receiving a success response.

NOTE:

If your gateway does not support this policy, contact technical support to upgrade the gateway to the latest version.

The following figure shows the principle of third-party authentication. After binding a third-party authentication policy to an API, call the API by referring to Calling APIs.

Prerequisites

You have understood the guidelines for policy creation and API binding.

Configuration Parameters

Table 1 Configuration parameters

Parameter

Description

Load Balance Channel

Whether to connect a third-party authentication service using a load balance channel.

Backend URL

  • Method

    GET, POST, PUT, and HEAD are supported.

  • Protocol

    HTTP or HTTPS. HTTPS is recommended for transmitting important or sensitive data.

  • Load Balance Channel (if applicable)

    Set this parameter only if a load balance channel is used. Select a load balance channel. If no required channel is available, click Create Load Balance Channel to create one.

  • Backend Address (if applicable)

    Set this parameter if no load balance channel is used.

    Enter the access address of the authentication service in the format of Host:Port. Host indicates the IP address or domain name for accessing the authentication service. If no port is specified, ports 80 and 443 are used by default for HTTP and HTTPS, respectively.

    NOTE:

    Only IPv4 addresses are supported.

  • Path

    Path (URL) of the authentication service.

Timeout (ms)

Timeout of the authentication service. It cannot exceed the max. timeout of the backend service. View the timeout limit on the Parameters tab of the gateway details page.

Host Header

Set this parameter only if a load balance channel is used.

Define a host header for requests to be sent to cloud servers associated with the load balance channel. By default, the original host header in each request is used.

Brute Force Threshold

IP addresses whose number of third-party authentication failure attempts within 5 minutes exceeds this threshold will be blocked. They will be unblocked after 5 minutes.

For example, if an IP address has failed third-party authentication more than the configured threshold in the third minute, the address is blocked, and will be unblocked after 2 minutes.

Identity Sources

Parameters to obtain from the original API requests for third-party authentication. Max. 10 headers and 10 query strings. If not specified, all headers and query strings in the original requests will be used.

Relaxed Mode

When this option is enabled, APIG accepts client requests even when your authentication service cannot connect or returns an error code starting with "5".

Allow Original Request Body

When this option is enabled, the original request body is included for authentication.

Request Body Size (bytes)

Available only when Allow Original Request Body is enabled.

The value cannot exceed the max. request body size of the gateway. View the request body size limit on the Parameters tab of the gateway details page.

Allow Original Request Path

When this option is enabled, the original request path is added to the end of the authentication request path.

Return Response

When this option is enabled, the authentication response is returned on failure.

Allowed Response Headers

Headers to obtain from the authentication response and send to the backend service, when the authentication is successful.

Max. 10 headers.

Simple Authentication

When this option is enabled, status codes starting with "2" indicate successful authentication.

Authentication Result

Available only when Simple Authentication is disabled.

Responses whose headers contain these parameters with the same values indicate successful authentication.

Blacklist/Whitelist

When this option is enabled, whether API requests require third-party authentication depends on the configured blacklist or whitelist rules.

Type

  • Whitelist

    API requests matching the whitelist rules do not require third-party authentication.

  • Blacklist

    API requests matching the blacklist rules require third-party authentication.

Parameters

Define parameters for rule matching.

  • Parameter Location: the location of a parameter used for rule matching.
    • path: API request URI. This parameter is configured by default.
    • method: API request method. This parameter is configured by default.
    • header: the key of a request header.
    • query: the key of a query string.
    • system: a system parameter.
  • Parameter: the name of a parameter to match the specified value in a rule.

Rules

Define conditions for rule matching.

Click Add Rule and edit the rule name and conditions. In the Condition Expressions dialog box, select a parameter and operator, and enter a value.

  • =: equal to
  • !=: not equal to
  • pattern: regular expression
  • enum: enumerated values. Separate them with commas (,).

Example Script

{
  "auth_request": {
    "method": "GET",
    "protocol": "HTTPS",
    "url_domain": "192.168.10.10",
    "timeout": 5000,
    "path": "/",
    "vpc_channel_enabled": false,
    "vpc_channel_info": null
  },
  "custom_forbid_limit": 100,
  "carry_body": {
    "enabled": true,
    "max_body_size": 1000
  },
  "auth_downgrade_enabled": true,
  "carry_path_enabled": true,
  "return_resp_body_enabled": false,
  "carry_resp_headers": [],
  "simple_auth_mode_enabled": true,
  "match_auth": null,
  "rule_enabled": false,
  "rule_type": "allow"
}

Utilizamos cookies para mejorar nuestro sitio y tu experiencia. Al continuar navegando en nuestro sitio, tú aceptas nuestra política de cookies. Descubre más

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback