AddGatewayAuth - Microservices Engine - Alibaba Cloud Documentation Center

Adds an authentication configuration for a gateway.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
mse:AddGatewayAuth	create	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	none	none

Request parameters

Parameter	Type	Required	Description	Example
Name	string	No	The name.	jwt
AuthResourceList	array<object>	No	The information about the resource to be authorized.
	object	No	The data structure.
DomainId	long	No	The domain ID.	1
Path	string	No	The request path.	/test
Type	string	No	The authentication type. JSON Web Token (JWT) authentication, OpenID Connect (OIDC) authentication, Identity as a Service (IDaaS) authentication, or custom authentication are supported.	JWT
Issuer	string	No	The iss value of JWT claims, which indicates the issuer. You must make sure that the value of this parameter is the same as the iss value in the payload of JWT claims.	testing@secure.istio.io
Jwks	string	No	The JWT public key. The JSON format is supported.	{"keys":[{"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}
TokenPosition	string	No	The position of the parameter that is required to verify a token. By default, a token is prefixed with Bearer and stored in the authorization header. Example: `Authorization: Bearer token`.	HEADER
TokenName	string	No	The name of the parameter that is required to verify a token. By default, a token is prefixed with Bearer and stored in the authorization header. Example: `Authorization: Bearer token`.	Authorization
TokenNamePrefix	string	No	The name prefix of the parameter that is required to verify a token. By default, a token is prefixed with Bearer and stored in the authorization header. Example: `Authorization: Bearer token`	Bearer
TokenPass	boolean	No	Specifies whether to enable pass-through.	true
IsWhite	boolean	No	Specifies whether to enable the whitelist feature.	true
Status	boolean	No	The status.	true
RedirectUrl	string	No	The redirect URL.	https://test-.com/oauth2/callback
ClientId	string	No	The application ID registered with the OIDC authentication service.	23460e2fdd9bf9ad106****
ClientSecret	string	No	The application secret registered with the OIDC authentication service.	123****
CookieDomain	string	No	The domain name of the cookie. After the authentication is passed, the cookie is sent to the specified domain name to maintain the logon status. For example, if you set `Cookie-domain` to a.example.com, the cookie is sent to the domain name `a.example.com`. If you set `Cookie-domain` to .example.com, the cookie is sent to all subdomains of `example.com`.	test.com
ScopesList	array	No	The OIDC scope.
	string	No	The OIDC scope.	Separate multiple values with semicolons (;).
LoginUrl	string	No	The URL that is used to log on to the IDaaS instance.	***
Sub	string	No	The sub value of JWT claims, which indicates the subject. You must make sure that the value of this parameter is the same as the sub value in the payload of JWT claims. If you do not set this parameter or leave it empty, the default value, which is the value of the Issuer parameter, is used.	testing@secure.istio.io
ExternalAuthZJSON	object	No	The information about the custom authentication service.
ServiceId	long	No	The ID of the service.	1
PrefixPath	string	No	The path of the authentication API provided by the authentication service. The path supports the prefix match method.	/auth
TokenKey	string	No	The header that stores a token in an authentication request. In most cases, a token is stored in the Authorization or Cookie header.	Authorization
AllowRequestHeaders	array	No	The header that can be carried in an authentication request.
	string	No	The OIDC scope.	x-req
AllowUpstreamHeaders	array	No	The header that can be retained in an authentication response.
	string	No		x-resp
Timeout	integer	No	The timeout period. Unit: seconds.	100
IsRestrict	boolean	No	Specifies whether the gateway allows a client request when the authentication server is unavailable. If a connection to the authentication server fails to be established or a 5xx error code is returned, the authentication server is unavailable.	true
GatewayUniqueId	string	No	The unique ID of the gateway.	gw-492af9b04bb4474cae9d645be850e3d7

Response parameters

Parameter	Type	Description	Example
	object	The data structure.
RequestId	string	The ID of the request.	4279C00F-A5E1-53C6-A43B-751C1C524D0B
HttpStatusCode	integer	The HTTP status code returned.	200
Message	string	The message returned.	You are not authorized to perform this operation.
Code	integer	The status code returned.	200
Success	boolean	Indicates whether the request was successful. Valid values: `true`: The request was successful. `false`: The request failed.	true
Data	long	The data returned.	3

Examples

Sample success responses

JSONformat

{
  "RequestId": "4279C00F-A5E1-53C6-A43B-751C1C524D0B",
  "HttpStatusCode": 200,
  "Message": "You are not authorized to perform this operation.",
  "Code": 200,
  "Success": true,
  "Data": 3
}

Error codes

HTTP status code	Error code	Error message	Description
400	IllegalRequest	Invalid request:%s	Invalid request: %s
400	InvalidParameter	Parameter error:%s	Request parameter error: %s
403	NoPermission	You are not authorized to perform this operation:%s	You do not have the permission to use this interface:%s
404	NotFound	Not found:%s	The resource does not exist:%s
500	InternalError	Console error. Try again later:%s	Console error. Try again later: %s

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation
2024-04-11	The request parameters of the API has changed	View Change Details