All Products
Search

This Product

    API Gateway:Call an API in simple authentication mode

    Document Center

    API Gateway:Call an API in simple authentication mode

    Last Updated:Aug 05, 2024

    Alibaba Cloud API Gateway provides multiple methods to authenticate requests from clients, including Alibaba Cloud App, JSON Web Token (JWT) plug-ins, and third-party authentication pug-ins. The Alibaba Cloud App method further provides two authentication modes: signature and AppCode. This topic describes how to use the simple authentication method based on the AppCode of an application.

    Precautions

    Simple authentication eliminates the need for a complex signing process. However, AppCodes are exposed as plaintext during transmission, which poses some security risks. We recommend that you exercise caution when you use this mode.

    Important

    Make sure that HTTPS communication is used between the client and API Gateway. Do not transmit data over HTTP. In simple authentication mode, AppCodes are transmitted in plaintext. If you use the unencrypted HTTP protocol, plaintext AppCodes can be easily obtained by attackers who capture packets.

    Overview

    • For more information about how a request is signed, see Use digest authentication to call an API.

    • In AppCode-based simple authentication, API callers are authenticated by using the AppCodes issued by API Gateway. Callers pass the AppCodes as a request header or a Query parameter to have their identities authenticated. This way, they can call APIs efficiently. The following items describe how AppCode-based simple authentication works:

      1. Create an API that supports AppCode authentication.

      2. Create an application and have an AppCode issued to the application.

      3. Authorize the application to call the API.

      4. Use the AppCode to call the API, during which the AppCode will be used for identity authentication.

    Create an API that supports AppCode authentication

    1. Log on to the API Gateway console. In the left-side navigation pane, choose Manage APIs > API Groups. On the API Groups page, click Create Group in the upper-right corner.

    2. On the Create Group page, set Instances to the API Gateway instance that you created, configure the Group Name and BasePath parameters, and then click Confirm.

    3. In the left-side navigation pane, choose Manage APIs > APIs. On the APIs page, click Create API in the upper-right corner.

    4. In the Basic Information step of the Create API wizard, select the created API group from the Group drop-down list, configure the API Name parameter, set Authentication Method to Alibaba Cloud App, and set AppCode Authentication to Enable AppCode Authentication (Header) or Enable AppCode Authentication (Header & Query).

      358fcadb17655c8e8d14e358d2d96d67

      The following table describes the four options for AppCode Authentication:

      Option

      Description

      Enable After API Publish to Alibaba Cloud Marketplace

      By default, this option is not selected. If you select this option, AppCodes can be passed in as a request header for authentication after the API is published to Alibaba Cloud Marketplace.

      Disable AppCode Authentication

      Requests must be signed regardless of whether the API is published to Alibaba Cloud Marketplace.

      Enable AppCode Authentication (Header)

      AppCodes can be passed in as a request header for authentication regardless of whether the API is published to Alibaba Cloud Marketplace.

      Enable AppCode Authentication (Header & Query)

      AppCodes can be passed in as a request header or a Query parameter for authentication regardless of whether the API is published to Alibaba Cloud Marketplace.

    5. Select a signature algorithm and click Next.

    6. In the Define API Request step, define requirements on the requests that are sent to call your API. For more information, see 1.2 Configure request information. Then, click Next.

    7. In the Define Backend Service step, configure a backend service for your API. For more information, see 1.3 Configure a backend service. Then, click Save.

    Note

    • Note: When you define request parameters for the API, you do not need to define that a request must carry an AppCode header or a Header parameter.

    • After the API is created, you can publish it to an environment for further debugging.

    Create an application

    1. Log on to the API Gateway console. In the left-side navigation pane, choose Call APIs > Apps. On the Apps page, click Create App in the upper-right corner.

    2. In the Create App dialog box, set App Name and click Confirm.

    Note

    • An AppCode is automatically generated for the created application. You can find the AppCode on the App Details page by clicking the name of the application on the Apps page.

    • If you purchase an API from Alibaba Cloud Marketplace, the marketplace will create an application for you when you make the purchase.

    Authorize the application to call the API

    1. Log on to the API Gateway console. In the left-side navigation pane, choose Manage APIs > APIs. On the APIs page, find the created API and click image > Authorize in the Actions column.

    2. In the Authorize dialog box, configure the Stage, Authorization Validity Period, and Choose Apps for Authorization parameters. Select My Apps from the Choose Apps for Authorization drop-down list and click Search. The applications in your account are automatically displayed. Select the created application and click Add Selected to add the application. Then, click Confirm.

    Use the AppCode for identity authentication

    Simple authentication supports two modes. You can either put the AppCode in the Header section or the Query section of your request.

    Method 1: Add the AppCode to the Header section

    • Add an Authorization parameter to the request Header.

    • The value of the Authorization parameter must be in the following format: APPCODE + Space + AppCode value. Format:

      Authorization:APPCODE AppCode value

      Example:

      Authorization:APPCODE 3F2504E04F8911D39A0C0305E82C3301
      Important

      If the backend service is an HTTP function, the Authorization parameter is not passed to the backend service. Instead, the parameter is overwritten by the Authorization parameter of the HTTP function. We recommend that you place AppCodes in the Query section.

    Method 2: Add the AppCode to the Query section

    • Add an AppCode parameter to the Query section of your request. AppCode can also be written as appcode, appCode, APPCODE, and APPCode.

    • The value of the parameter is the issued AppCode.

    Example:

    http://www.aliyum.com?AppCode=3F2504E04F8911D39A0C0305E82C3301