Third-Party Authorizer

You can configure your own service to authenticate API requests. APIG first invokes this service for authentication, and then invokes the backend service after receiving a success response.

If your gateway does not support this policy, contact technical support to upgrade the gateway to the latest version.

The following figure shows the principle of third-party authentication. After binding a third-party authentication policy to an API, call the API by referring to Calling APIs.

Click to enlarge

Prerequisites

You have understood the guidelines for policy creation and API binding.

Configuration Parameters

**Table 1** Configuration parameters
Parameter	Description
Load Balance Channel	Whether to connect a third-party authentication service using a load balance channel. Configure: Select a load balance channel. Skip: Enter the path of the authentication service.
Backend URL	Method GET, POST, PUT, and HEAD are supported. Protocol HTTP or HTTPS. HTTPS is recommended for transmitting important or sensitive data. Load Balance Channel (if applicable) Set this parameter only if a load balance channel is used. Select a load balance channel. If no required channel is available, click Create Load Balance Channel to create one. Backend Address (if applicable) Set this parameter if no load balance channel is used. Enter the access address of the authentication service in the format of Host:Port. Host indicates the IP address or domain name for accessing the authentication service. If no port is specified, ports 80 and 443 are used by default for HTTP and HTTPS, respectively. NOTE: Only IPv4 addresses are supported. Path Path (URL) of the authentication service.
Timeout (ms)	Timeout of the authentication service. It cannot exceed the max. timeout of the backend service. View the timeout limit on the Parameters tab of the gateway details page.
Host Header	Set this parameter only if a load balance channel is used. Define a host header for requests to be sent to cloud servers associated with the load balance channel. By default, the original host header in each request is used.
Brute Force Threshold	IP addresses whose number of third-party authentication failure attempts within 5 minutes exceeds this threshold will be blocked. They will be unblocked after 5 minutes. For example, if an IP address has failed third-party authentication more than the configured threshold in the third minute, the address is blocked, and will be unblocked after 2 minutes.
Identity Sources	Parameters to obtain from the original API requests for third-party authentication. Max. 10 headers and 10 query strings. If not specified, all headers and query strings in the original requests will be used.
Relaxed Mode	When this option is enabled, APIG accepts client requests even when your authentication service cannot connect or returns an error code starting with "5".
Allow Original Request Body	When this option is enabled, the original request body is included for authentication.
Request Body Size (bytes)	Available only when Allow Original Request Body is enabled. The value cannot exceed the max. request body size of the gateway. View the request body size limit on the Parameters tab of the gateway details page.
Allow Original Request Path	When this option is enabled, the original request path is added to the end of the authentication request path.
Return Response	When this option is enabled, the authentication response is returned on failure.
Allowed Response Headers	Headers to obtain from the authentication response and send to the backend service, when the authentication is successful. Max. 10 headers.
Simple Authentication	When this option is enabled, status codes starting with "2" indicate successful authentication.
Authentication Result	Available only when Simple Authentication is disabled. Responses whose headers contain these parameters with the same values indicate successful authentication.
Blacklist/Whitelist	When this option is enabled, whether API requests require third-party authentication depends on the configured blacklist or whitelist rules.
Type	Whitelist API requests matching the whitelist rules do not require third-party authentication. Blacklist API requests matching the blacklist rules require third-party authentication.
Parameters	Define parameters for rule matching. NOTE: For security purposes, do not include sensitive information in these parameters. Parameter Location: the location of a parameter used for rule matching. path: API request URI. This parameter is configured by default. method: API request method. This parameter is configured by default. header: the key of a request header. query: the key of a query string. system: a system parameter. Parameter: the name of a parameter to match the specified value in a rule.
Rules	Define conditions for rule matching. Click Add Rule and edit the rule name and conditions. In the Condition Expressions dialog box, select a parameter and operator, and enter a value. NOTE: For security purposes, do not include sensitive information in these parameters. =: equal to !=: not equal to pattern: regular expression enum: enumerated values. Separate them with commas (,).

Example Script

{
  "auth_request": {
    "method": "GET",
    "protocol": "HTTPS",
    "url_domain": "192.168.10.10",
    "timeout": 5000,
    "path": "/",
    "vpc_channel_enabled": false,
    "vpc_channel_info": null
  },
  "custom_forbid_limit": 100,
  "carry_body": {
    "enabled": true,
    "max_body_size": 1000
  },
  "auth_downgrade_enabled": true,
  "carry_path_enabled": true,
  "return_resp_body_enabled": false,
  "carry_resp_headers": [],
  "simple_auth_mode_enabled": true,
  "match_auth": null,
  "rule_enabled": false,
  "rule_type": "allow"
}

Parent topic: API Policies

Previous topic: Circuit Breaker

Next topic: Traffic Mirroring