Updated on 2024-11-27 GMT+08:00

Creating a Backend Custom Authorizer

To use your own backend request authentication system, customize a frontend or backend authorizer.

  • Frontend custom authorizer: ROMA Connect uses a custom authentication function to authenticate received API requests.
  • Backend custom authorizer: The backend service of an API uses a custom authentication function to authenticate backend service requests forwarded by ROMA Connect.

This section describes how to create a backend custom authorizer. To do this, create a function backend as the authentication function, and use the function backend as the authentication backend in custom authentication.

Creating a Function Backend for Backend Authentication

  1. Log in to the ROMA Connect console. On the Instances page, click View Console next to a specific instance.
  2. In the navigation pane on the left, choose API Connect > Custom Backends. On the Backends tab, click Create Backend.
  3. On the Create Backend page, set backend parameters and click Create.
    • Backend Request Method must be set to POST.
    • You do not need to set input parameters. The Header and Query parameters are invalid in the function backend used for backend custom authentication.
    • For details about the settings of other parameters, see Creating a Function Backend.

    After the backend is created, the online IDE of the backend is automatically displayed. The backend type defaults to data backend.

  4. Develop a function backend.

    In the upper left corner of the online IDE, choose File > Create Function Backend > Blank Template. In the dialog box displayed, click Yes. Compile a function script for security authentication and click Save.

    The function script used for backend custom authentication must meet the following conditions:

    • Request parameter

      Body parameter: user data defined when a custom authorizer is created. The format of calling the body parameter is body["user_data"].

    • Response

      The response body cannot be greater than 1 MB. The response content must be in the following format:

      {
        "status": "allow/deny",
        "context": {
          "user": "abc"
        }
      }
      • status: identifies the authentication result. This field is mandatory. Only allow or deny is supported. allow indicates that the authentication is successful, and deny indicates that the authentication fails.
      • context: indicates the authentication response result. This field is mandatory. Only key-value pairs of the string type are supported. The key value does not support JSON objects or arrays.

        The data in the context is user-defined. After the authentication is successful, the data can be used as a system parameter (backend authentication parameter) and mapped to the backend request parameter of the API. The system parameter name set in the API backend service must be the same as the parameter name in the context. The parameter name is case sensitive. The parameter name in context must start with a letter and contain 1 to 32 characters, including letters, digits, underscores (_), and hyphens (-).

    The following is an example of the user data definition script:

    function execute(data){
      data=JSON.parse(data)
      body=data.body
      if(body["user_data"]=='abc'){
        return{
          "status": "allow",
          "context": {
            "user": "abcd"
          }
        }
      }else{
        return{
          "status": "deny"
        }
      }
    }
  5. Test the function backend.

    In the upper right corner, click Test. In the Test Parameters area, add request parameters required for authentication as defined for the function backend, and click Test to send the request.

    The user data definition script in the preceding step is used as an example. Enter the request content {"user_data": "abc"} in the body parameter to authenticate backend service requests.

    If the value of status in the test result is allow, the test is successful.

  6. Deploy the function backend.

    After the backend is tested, click Deploy in the upper right corner of the page. In the dialog box displayed, click Yes to deploy the function backend.

Creating a Backend Custom Authorizer

Before creating a backend custom authorizer, ensure that the function backend used for backend custom authentication has been created. Otherwise, create a function API first. For details, see Creating a Function Backend for Backend Authentication.

  1. In the navigation pane on the left, choose API Connect > API Policies. On the Custom Authorizers tab, click Create Custom Authorizer.
  2. On the page displayed, configure custom authorization and click OK.
    Table 1 Parameters for creating a backend custom authorizer

    Parameter

    Description

    Name

    Enter a custom authorizer name. Using naming rules facilitates future search.

    Integration Application

    Select an integration application for the custom authorizer.

    Type

    Select Backend.

    Function URN

    Select a function backend (must be currently Deployed) for backend custom authentication.

    Max. Cache Age (s)

    Set the time (max. 3600) for caching authentication results.

    0: Authentication results will not be cached.

    Relaxed Mode

    When this option is enabled, ROMA Connect accepts client requests even if the custom function service cannot be connected or returns an error code starting with "5".

    Send Request Body

    Specify whether to send the request body to the function.

    User Data

    Enter the parameters for creating a custom authorizer.