All Products
Search
Document Center

Microservices Engine:AddGatewayAuth

Last Updated:Nov 20, 2024

Adds an authentication configuration for a gateway.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
mse:AddGatewayAuthcreate
*Gateway
acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
NamestringNo

The name.

jwt
AuthResourceListarray<object>No

The information about the resource to be authorized.

objectNo

The data structure.

DomainIdlongNo

The domain ID.

1
PathstringNo

The request path.

/test
TypestringNo

The authentication type. JSON Web Token (JWT) authentication, OpenID Connect (OIDC) authentication, Identity as a Service (IDaaS) authentication, or custom authentication are supported.

JWT
IssuerstringNo

The iss value of JWT claims, which indicates the issuer. You must make sure that the value of this parameter is the same as the iss value in the payload of JWT claims.

testing@secure.istio.io
JwksstringNo

The JWT public key. The JSON format is supported.

{"keys":[{"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}
TokenPositionstringNo

The position of the parameter that is required to verify a token. By default, a token is prefixed with Bearer and stored in the authorization header. Example: Authorization: Bearer token.

HEADER
TokenNamestringNo

The name of the parameter that is required to verify a token. By default, a token is prefixed with Bearer and stored in the authorization header. Example: Authorization: Bearer token.

Authorization
TokenNamePrefixstringNo

The name prefix of the parameter that is required to verify a token. By default, a token is prefixed with Bearer and stored in the authorization header. Example: Authorization: Bearer token

Bearer
TokenPassbooleanNo

Specifies whether to enable pass-through.

true
IsWhitebooleanNo

Specifies whether to enable the whitelist feature.

true
StatusbooleanNo

The status.

true
RedirectUrlstringNo

The redirect URL.

https://test-.com/oauth2/callback
ClientIdstringNo

The application ID registered with the OIDC authentication service.

23460e2fdd9bf9ad106****
ClientSecretstringNo

The application secret registered with the OIDC authentication service.

123****
CookieDomainstringNo

The domain name of the cookie. After the authentication is passed, the cookie is sent to the specified domain name to maintain the logon status. For example, if you set Cookie-domain to a.example.com, the cookie is sent to the domain name a.example.com. If you set Cookie-domain to .example.com, the cookie is sent to all subdomains of example.com.

test.com
ScopesListarrayNo

The OIDC scope.

stringNo

The OIDC scope.

Separate multiple values with semicolons (;).
LoginUrlstringNo

The URL that is used to log on to the IDaaS instance.

***
SubstringNo

The sub value of JWT claims, which indicates the subject. You must make sure that the value of this parameter is the same as the sub value in the payload of JWT claims. If you do not set this parameter or leave it empty, the default value, which is the value of the Issuer parameter, is used.

testing@secure.istio.io
ExternalAuthZJSONobjectNo

The information about the custom authentication service.

ServiceIdlongNo

The ID of the service.

1
PrefixPathstringNo

The path of the authentication API provided by the authentication service. The path supports the prefix match method.

/auth
TokenKeystringNo

The header that stores a token in an authentication request. In most cases, a token is stored in the Authorization or Cookie header.

Authorization
AllowRequestHeadersarrayNo

The header that can be carried in an authentication request.

stringNo

The OIDC scope.

x-req
AllowUpstreamHeadersarrayNo

The header that can be retained in an authentication response.

stringNo
x-resp
TimeoutintegerNo

The timeout period. Unit: seconds.

100
IsRestrictbooleanNo

Specifies whether the gateway allows a client request when the authentication server is unavailable. If a connection to the authentication server fails to be established or a 5xx error code is returned, the authentication server is unavailable.

true
GatewayUniqueIdstringNo

The unique ID of the gateway.

gw-492af9b04bb4474cae9d645be850e3d7

Response parameters

ParameterTypeDescriptionExample
object

The data structure.

RequestIdstring

The ID of the request.

4279C00F-A5E1-53C6-A43B-751C1C524D0B
HttpStatusCodeinteger

The HTTP status code returned.

200
Messagestring

The message returned.

You are not authorized to perform this operation.
Codeinteger

The status code returned.

200
Successboolean

Indicates whether the request was successful. Valid values:

  • true: The request was successful.
  • false: The request failed.
true
Datalong

The data returned.

3

Examples

Sample success responses

JSONformat

{
  "RequestId": "4279C00F-A5E1-53C6-A43B-751C1C524D0B",
  "HttpStatusCode": 200,
  "Message": "You are not authorized to perform this operation.",
  "Code": 200,
  "Success": true,
  "Data": 3
}

Error codes

HTTP status codeError codeError messageDescription
400IllegalRequestInvalid request:%sInvalid request: %s
400InvalidParameterParameter error:%sRequest parameter error: %s
403NoPermissionYou are not authorized to perform this operation:%sYou do not have the permission to use this interface:%s
404NotFoundNot found:%sThe resource does not exist:%s
500InternalErrorConsole error. Try again later:%sConsole error. Try again later: %s

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-09-26The internal configuration of the API is changed, but the call is not affectedView Change Details
2024-04-11The request parameters of the API has changedView Change Details