manualshive.com logo in svg

Alibaba Cloud API Gateway, Руководство пользователя

Поделиться
Скачать
Alibaba Cloud API Gateway Скачать руководство пользователя страница 18

1.

2.

3.

4.

Provider and used to generate the id_token in the entire system. The generated id_token

must meet the 

Specification

 in the OIDC protocol (version 1.0).

 
 

 
2. Resource server (RS): Used to verify the id_token and resolve
corresponding information. 

 

This part is implemented by the gateway. Because the RS function has been integrated in the API

gateway, the Provider only needs to generate the id_token in compliance with the corresponding

encryption rules. 

 

As shown in the preceding figure, the process is as follows:

 

The Consumer sends the parameter with the id_token to the API gateway. 

The API gateway saves the publicKey used for verification, verifies and resolves the id_token

to obtain the User information, and sends the User information to the Provider. If the

authentication fails, the API gateway returns an error message. 

The Provider processes the request and returns the results to the API gateway. 

The API gateway transparently transmits the results from the Provider to the Consumer. 
 

NOTE: The RS serves as the Consumer of the id_token. The request can be forwarded to the Provider

only when the id_token verification succeeds.

 

 
How to implement the AS module

API Gateway

User Guide for Providers

17

Содержание API Gateway

Страница 1: ...API Gateway User Guide for Providers...

Страница 2: ...deprecation and version switching Easy data conversion You can configure a mapping rule to convert the calling request into the format required by the backend Presetting of request verification You c...

Страница 3: ...o backend services the format of returned results the parameter verification rules and so on Define basic information Basic API information includes the API group API name description and API type Sel...

Страница 4: ...rom that in the backend service address You have to map the parameters when defining the path if they are in the backend service address Input parameter definition The parameters to input conprise hea...

Страница 5: ...r The parameter name must be globally unique It is not allowed to enter a parameter named name in headers and queries at the same time After the preceding steps now you can test and release the API gr...

Страница 6: ...in name as follows The unique and fixed second level domain name is assigned by the system during group creation By default a second level domain name is used to call the API only in the test environm...

Страница 7: ...definitions Editing the definition of a released API does not affect the definition in the production environment unless you release and synchronize it to the production environment It is not allowed...

Страница 8: ...ew the release history of each of you APIs including the version number notes test production and time of each release When viewing the release history you can select a version and switch to it The ne...

Страница 9: ...he throttling policy is described as follows Throttling policy contains the following dimensions The three values can be set in one throttling policy Note that the user traffic limit API traffic limit...

Страница 10: ...e and special object settings appliable to each API separately The lattest policy bound to the API overwrites the previous one and takes effect immediately To add a special app or user you must obtain...

Страница 11: ...ount Restrictions on the number of independent domain names bound to an API group At most five independent domain names can be bound to a group Restrictions on the traffic for calling an API The traff...

Страница 12: ...name is X Ca Signature How to add a signature at the backend HTTP service For more information about the demo Java of signature calculation see https github com aliyun api gateway demo sign backend ja...

Страница 13: ...ercase letters in the key of the header to lowercase and splice the keys in the following method URL URL indicates the Form parameter in the Path Query Body The organization method is as follows If Qu...

Страница 14: ...uthorization OpenID Connect is a lightweight standard based on OAuth 2 0 which provides a framework for identity interaction through APIs Compared with OAuth OpenID Connect not only authenticates a re...

Страница 15: ...oken to the client When configuring such APIs you must inform the API gateway about the key corresponding to your Token and the public key used to resolve the Token Service APIs Interfaces used to obt...

Страница 16: ...ined by the authorization API and the signed Appkey to call the service API The API gateway authenticates and resolves the Token and sends the user information contained in the Token to the backend Du...

Страница 17: ...d U P mode The API gateway transparently transmits the request to the AS The AS sends the user authentication request to the Provider service provider The Provider returns the authentication results o...

Страница 18: ...as follows The Consumer sends the parameter with the id_token to the API gateway The API gateway saves the publicKey used for verification verifies and resolves the id_token to obtain the User informa...

Страница 19: ...e KeyPair uses the RSA SHA256 encryption algorithm To guarantee security 2 048 bits are encrypted All KeyPairs used in the AS are in the JSON format The following is an example publicKey privateKey St...

Страница 20: ...uiM2oiKtW3bAaBP uiR7sVMFcuB5baCebHU487YymJCBTfeCZtFdi6c4w0 dp gVCROKonsjiQCG s6X4j saAL016jJsw 7QEYE6uiMHqR _6iJ _uD1V8Vuec RxaItyc6SBsh24oeqsNoG7Ndaw7w912UVDwVjwJKQFCJDjU0v4oniItosKcPvM8M0TDUB1qZojuM...

Страница 21: ...s toJson PrivateKey privateKey new RsaJsonWebKey JsonUtil parseJson privateKeyText getPrivateKey jws setKey privateKey String idToken jws getCompactSerialization eyJhbGciOiJSUzI1NiIsImtpZCI6Ijg4NDgzNz...

Страница 22: ...example obtaining the Token using U P Service APIs Used by the Provider to provide services The Consumer calls the obtained Token as an input parameter The OpenID Connect certification method is used...

Страница 23: ...he Input parameter definition area a corresponding parameter must be defined Otherwise an error message is prompted as shown in the following figure Configuring the custom system parameters The servic...

Страница 24: ...sing the RAM employees can use the sub accounts to view create manage and delete API groups APIs authorizations and throttling policies However the sub accounts are not the owner of resources whose op...

Страница 25: ...policy For more information about how to view create modify and delete a custom authorization see Authorization policy management For more information about how to enter the authorization policy conte...

Страница 26: ...region indicates the region You can also enter the wildcards which indicate all regions account id indicates the account ID such as 1234567890123456 You can also enter the wildcards relative id indica...

Страница 27: ...ntid trafficco ntrol trafficcontrolId DeleteTrafficSpecialControl acs apigateway regionid accountid trafficco ntrol trafficcontrolId DeployApi acs apigateway regionid accountid apigroup groupId Descri...

Страница 28: ...cs apigateway regionid accountid apigroup DescribeRulesByApi acs apigateway regionid accountid group groupId DescribeSecretKeys acs apigateway regionid accountid secretke y DescribeTrafficControls acs...

Страница 29: ...rafficcontrolId RemoveAppsFromApi acs apigateway regionid accountid apigroup groupId RemoveBlackList acs apigateway regionid accountid blacklist blacklistid SetAccessPermissionByApis acs apigateway re...

Страница 30: ...the intranet This authorization is only used for the API gateway to access corresponding backend resources The API gateway cannot access unauthorized resources or ports For example if only port 80 of...

Страница 31: ...e the API gateway for access Click API Gateway Console Open API Authorize VPC and then click Create Authorization Go to the authorization page and enter corresponding information VPC name Indicates th...

Страница 32: ...tion of other parameters for the API is consistent with that for other APIs Save the configuration The API creation is complete 3 Authorize a security group Optional You can skip this step if you use...

Страница 33: ...backend service works in multiple VPC instances Why cannot I authorize my VPC Make sure that the VPC ID instance ID and port number are correct and that the authorization policy and VPC are within the...

Страница 34: ...e interdependency among them may in turn restrict each of them during the process and mutual misunderstanding may influence the development progress or even delay the project schedule Therefore Mock i...

Страница 35: ...t to the test or online environment for test or to the API debugging page for debugging based on your actual needs Debugging You can initiate an API call on the API debugging page to test the setting...

Страница 36: ...r end which avoids unnecessary latency and improves efficiency In case of a large amount of requests the client can use this method to transmit the request data with only a few connections Header comp...

Страница 37: ...future To Support HTTPS HTTPS is a protocol integrating HTTP and SSL It encrypts information and data to guarantee data transmission security HTTPS is widely used today The API gateway also supports...

Страница 38: ...e and click Open API Group Management Click the group to which the SSL certificate is to be bound and check the group details Before binding the SSL certificate bind an Independent domain name to the...

Страница 39: ...er binding the SSL certificate you can enable access over HTTP HTTPS or HTTP and HTTPS for APIs For security considerations we recommend that you configure all APIs to support access over HTTPS You ca...

Страница 40: ...After the adjustment the API configuration is complete Your API supports access over HTTPS API Gateway User Guide for Providers 39...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды