Updated on 2022-12-05 GMT+08:00

Creating a Backend Custom Authorizer

Overview

To use your own backend request authentication system, create a custom authorizer.

Custom authorizers are classified into the following types:

  • Frontend: ROMA Connect uses a custom authentication function to authenticate API requests.
  • Backend: The backend service of an API uses a custom authentication function to authenticate requests forwarded by ROMA Connect.

This section describes how to create a backend custom authorizer. Ensure that you have created a function backend before using it for a custom authorizer.

Creating a Function Backend for Backend Authentication

  1. Log in to the ROMA Connect console. On the Instances page, click View Console next to a specific instance.
  2. In the navigation pane on the left, choose API Connect > Custom Backends. On the Backends tab page, click Create Backend.
  3. On the Create Backend page, set backend parameters and click Create.
    • Backend Request Method must be set to POST.
    • The input parameters are not required. The header and query parameters are not used for the backend custom authorization.
    • For details about the settings of other parameters, see Creating a Function API.

    After the backend is created, the online IDE page is automatically displayed.

  4. Develop a function backend.

    In the upper left corner of the online IDE, choose File > Create Function Backend > Blank Template. In the dialog box displayed, click Yes. Compile a function script for security authentication and click Save.

    The function script used for backend custom authentication must meet the following conditions:

    • Request parameter

      Body parameter: user data defined when a custom authorizer is created. The format of calling the body parameter is body["user_data"].

    • Response

      The response body cannot be greater than 1 MB. The response content must meet the following format:

      {
        "status": "allow/deny",
        "context": {
          "user": "abc"
        }
      }
      • status: identifies the authentication result. This field is mandatory. Only allow or deny is supported. allow indicates that the authentication is successful, and deny indicates that the authentication fails.
      • context: indicates the authentication response result. This field is mandatory. Only key-value pairs of the string type are supported. The key value does not support JSON objects or arrays.

        The data in the context is user-defined. After the authentication is successful, the data can be used as a system parameter (backend authentication parameter) and mapped to the backend request parameter of the API. The system parameter name set in the API backend service must be the same as the parameter name in the context. The parameter name is case sensitive. The parameter name in context must start with a letter and contain 1 to 32 characters, including letters, digits, underscores (_), and hyphens (-).

    The following is an example of the user data definition script:

    function execute(data){
      data=JSON.parse(data)
      body=data.body
      if(body["user_data"]=='abc'){
        return{
          "status": "allow",
          "context": {
            "user": "abcd"
          }
        }
      }else{
        return{
          "status": "deny"
        }
      }
    }
  5. Test the function backend.

    In the upper right corner of the page, click Test. In the Test Parameters area, add request parameters required for authentication based on the definition of the function backend and click Test to send the request.

    The user data definition script in the preceding step is used as an example. Enter the request content {"user_data": "abc"} in the body parameter to authenticate backend service requests.

    If the value of status in the test result is allow, the test is successful.

  6. Deploy the function backend.

    After the backend test is complete, click Deploy in the upper right corner of the page. In the dialog box displayed, click Yes to deploy the function backend.

Creating a Backend Custom Authorizer

Before creating a backend custom authorizer, ensure that the function backend used for backend custom authentication has been created. Otherwise, create a function API first. For details, see Creating a Function Backend for Backend Authentication.

  1. Log in to the ROMA Connect console. On the Instances page, click View Console next to a specific instance.
  2. In the navigation pane on the left, choose API Connect > API Management. On the Custom Authorizers tab page, click Create.
  3. In the Create Custom Authorizer dialog box, configure custom authorizer information and click Create.
    Table 1 Parameters for creating a backend custom authorizer

    Parameter

    Description

    Name

    Enter a custom authorizer name. It is recommended that you enter a name based on naming rules to facilitate search.

    Type

    Select Backend.

    Integration Application

    Select an integration application for the custom authorizer.

    Function URN

    Select a function backend for custom authentication. Only function backends in the Deployed state can be selected.

    Max. Cache Age (s)

    Set the time for caching authentication results. Value 0 means that authentication results will not be cached. The maximum value is 3600.

    Send Request Body

    Specify whether to send the request body to the function.

    User Data

    Enter the parameters for creating a custom authorizer.