当前位置:网站首页>Interpretation of new plug-ins | how to enhance authentication capability with forward auth

Interpretation of new plug-ins | how to enhance authentication capability with forward auth

2022-06-26 16:46:00 Apacheapisik China Community

Forward Auth Can skillfully transfer authentication and authorization logic to special external services , The gateway will forward the user's request to the authentication service , And in the authentication service response non 20x In the state of , Block the original request and replace the result . In this way , You can realize when the certification fails , Return the custom error message or redirect the user to the authentication page .

This article will introduce Apache APISIX 2.12.0 New plug-ins in version forward-auth How to use , Let's briefly explain how to use this simple authentication model .

principle

picture

About forward-auth Plug in Apache APISIX The operation principle and process of the are shown in the figure above , The specific summary is as follows :

  • First step : From the client to APISIX Initiate request

  • The second step : from APISIX Initiate a request to the user configured authentication service

  • The third step : Authentication service response (2xx Or abnormal state )

  • Step four :APISIX Will respond according to the authentication service , decision Forward the request upstream or direct **** Send a reject response to the client

How to use

Step one : Set up authentication service

Suppose there is such an authentication service , The user sends it with Authorization Request header request . If the data is verified, it returns 200 The status code and a code named X-User-ID Response header for ; If it fails to pass the verification, the authentication status is considered to be expired , return 302 Status codes and Location The response header redirects the client to the login page .

Step two : Create a route and turn it on forward-auth plug-in unit

Next , We will configure a route and turn on forward-auth plug-in unit , Connect the above authentication services with upstream applications .

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{    "plugins": {        "forward-auth": {            "address": "http://127.0.0.1:9080/auth",            "request_headers": ["Authorization"],            "upstream_headers": ["X-User-ID"],            "client_headers": ["Location"]        }    },    "uri": "/user"}'

Explanation of the above configuration details :

  • When a request matches the current route , Send a request to address Address in , Which will be attached request_headers Request header defined in Authorization( That is, configure the request header that needs to be forwarded by the client to the authentication service , If not set, no request header will be forwarded ), The authentication service can confirm the user's identity based on this .

  • If the certification passes , Status code for 200 And return a upstream_headers As defined in X-User-ID( That is, the request header forwarded by the authentication service to the upstream when the authentication passes , If not set, no request header will be forwarded ).

  • If authentication fails , Status code for 302 And return one in client_headers As defined in Location( That is, the response header sent by the authentication service to the client when authentication fails , If not set, no response header will be forwarded ).

Step three : The test request 

#  Use  POST  Request and send data curl http://127.0.0.1:9080/user \    --header 'Authorization: true'HTTP/1.1 200 OKContent-Type: application/jsonContent-Length: 28Server: APISIX/2.11.0{"user_id":"i-am-real-user"}#  Use  GET  request curl -i http://127.0.0.1:9080/user \    --header 'Authorization: false'HTTP/1.1 302 FOUNDServer: APISIX/2.11.0Location: https://example.com/auth

Add : Close plugins

If used , Just remove... From the routing configuration forward-auth Plug in related configuration and save , You can turn off... On the route Forward Auth plug-in unit . Thanks to the Apache APISIX Dynamic characteristics of , There is no need to restart the process of opening and closing plug-ins Apache APISIX.

summary

Want to learn more about forward-auth Plug in description and complete configuration list , May refer to :https://apisix.apache.org/docs/apisix/next/plugins/forward-auth.

About Apache APISIX

Apache APISIX It's a dynamic 、 real time 、 High-performance open source API gateway , Provide load balancing 、 Dynamic upstream 、 Grayscale Publishing 、 Service failure 、 Identity Authentication 、 Observability and other rich traffic management functions .

Apache APISIX It can help enterprises quickly 、 Handle safely API And microservice traffic , Including gateways 、Kubernetes Ingress And service grid . At present, it has been approved by PwC data security team 、 Tencent blue army 、 Ping An Galaxy lab 、 Iqiyi SRC And Yuanbao technology security team and other professional network security institutions , And highly recognized .

Apache APISIX Landing users ( Only part )

picture

原网站

版权声明
本文为[Apacheapisik China Community]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/02/202202170506437820.html

边栏推荐

猜你喜欢

随机推荐