Configuring A Third-Party Authorizer

Constraints

When a user calls an API bound to a third-party authentication policy, the API performs its own authentication and then the third-party authentication.

Creating a Third-Party Authorizer

1. Log in to the ROMA Connect console. On the Instances page, click View Console of an instance.
2. In the navigation pane on the left, choose API Connect > API Policies. On the Policies tab, click Create Policy.
3. In the Select Policy Type box, select Third-Party Authorizer in the Plug-ins area.
4. On the page displayed, configure plug-in policy information.

   Table 1 Policy configuration

   Parameter	Description
   Name	Enter a policy name. Using naming rules facilitates future search.
   Type	The value is fixed as Third-Party Authorizer.
   Scope	Specify the scope to view the policy. Integration application: Each policy belongs to an integration application. Only users who have permission on the integration application can view and use the policy. All: All users in the current instance can view and use the policy.
   Integration Application	Mandatory when Scope is set to Integration Application. Select an integration application for the policy. If none is available, click Create Integration Application on the right to create one.
   Description	Describe the policy.
   Policy Content: Configure the policy in a form or script. For details about how to configure a script, see Script Configuration Example.
   Load Balance Channel	Whether to access the third-party authentication service via a load balance channel. If you want to select Configure, create a load balance channel in advance.
   Backend URL	Configure the URL of the third-party authentication service. Method: Select the request method of the third-party authentication service. Protocol: Select the request protocol of the third-party authentication service. HTTPS is recommended for transmitting important or sensitive data. Backend Address: Mandatory when Load Balance Channel is set to Skip. Enter the access address of the third-party authentication service in the format of Host:Port. Host indicates the IP address or domain name for accessing the third-party authentication service. If no port is specified, port 80 is for HTTP and port 443 is for HTTPS by default. Load Balance Channel: Mandatory when Load Balance Channel is set to Configure. Select a load balance channel for accessing the third-party authentication service. Path: Enter the request path of the third-party authentication service, for example, /auth.
   Timeout (ms)	Enter the timeout interval of a third-party authentication service request. The default value is 5000.
   Host Header	Available when Load Balance Channel is set to Configure. Define the host header field carried in the third-party authentication service request.
   Brute Force Threshold	IP addresses whose number of attempts to access APIs by third-party authentication within 5 minutes exceeds this threshold will be blocked. They will be unblocked after the current statistical period. For example, if an IP address has failed the third-party authentication more than the configured threshold in the third minute of a statistical period, the address is blocked, and will be unblocked after 2 minutes.
   Identity Sources	Add the header and query parameters in the original API request used for third-party authentication. If not specified, all header and query parameters in the original API request will be used.
   Relaxed Mode	When this option is enabled, ROMA Connect accepts client requests even if the third-party authentication service cannot be connected or returns an error code starting with "5".
   Allow Original Request Body	When this option is enabled, the original API request body is used to call the third-party authentication service.
   Request Body Size (bytes)	Available only when Allow Original Request Body is enabled. Size of the request body for calling the third-party authentication service. It cannot exceed the maximum size allowed by the instance. Check out the value of request_body_size in configuration parameters.
   Allow Original Request Path	When this option is enabled, the original API request path is added to the end of the third-party authentication request path before the third-party authentication service is invoked.
   Return Response	When this option is enabled, the authentication response is returned on failure.
   Allowed Response Headers	Headers to obtain from the authentication response and send to the backend service with the original request, when the authentication is successful.
   Simple Authentication	When this option is enabled, status codes starting with "2" indicate successful authentication.
   Authentication Result	Available only when Simple Authentication is disabled. Verifies the response header returned by the third-party authentication service. If the response header contains the configured parameter and the corresponding values are the same, the authentication is successful.
   Blacklist/Whitelist	When this option is enabled, if the original API request matches the blacklist rule, third-party authentication is performed. If the original API request matches the whitelist rule, third-party authentication is not performed.
   Type	Mandatory when Blacklist/Whitelist is enabled. Whitelist: API requests matching the whitelist rules do not require third-party authentication. Blacklist: API requests matching the blacklist rules require third-party authentication.
   Parameters	Available only when Blacklist/Whitelist is enabled. Define the parameters for rule matching. Click Add Parameter to add rule parameters. Parameter Location: position of a parameter in an API request. path: API request URI. This parameter is configured by default. method: API request method. This parameter is configured by default. header: first value of the header parameter in an API request. query: first value of the query parameter in an API request. system: a system parameter. Parameter: name of a parameter used for rule matching.
   Rules	Available only when Blacklist/Whitelist is enabled. Customize matching rules for the blacklist or whitelist. Click Add Rule to add rules. The system matches rules from top to bottom. Rules: Click to edit the condition expressions. If there are three or more expressions, you can layer them by clicking Set Lower Level. =: equal to !=: not equal to pattern: regular expression enum: enumerated values, separated by comma (,)

5. Click OK.

   After a plug-in policy is created, bind a plug-in policy to an API for the policy to take effect on the API.

Binding a Plug-in Policy to an API

1. On the Policies tab, filter policies by Third-Party Authorizer.
2. Click the name of a policy to go to the details page.
3. On the APIs tab, select the environment of the APIs you want to bind the policy to and click Bind to APIs.
4. On the page displayed, select the APIs to bind the policy to.

   APIs can be filtered by API group and API name.

5. Click OK.

Script Configuration Example

{
  "auth_request": {
    "method": "GET",
    "protocol": "HTTPS",
    "url_domain": "10.10.10.10",
    "timeout": 5000,
    "path": "/auth",
    "vpc_channel_enabled": false,
    "vpc_channel_info": null
  },
  "custom_forbid_limit": 100,
  "carry_body": {
    "enabled": true,
    "max_body_size": 1000
  },
  "auth_downgrade_enabled": true,
  "carry_path_enabled": true,
  "return_resp_body_enabled": false,
  "carry_resp_headers": [],
  "simple_auth_mode_enabled": true,
  "match_auth": null,
  "rule_enabled": false,
  "rule_type": "allow"
}