Api-gateway Practice (10) New service gateway-OpenID Connect

Gateway Guide: HTTPS://HELP.ALIYUN.COM/DOCUMENT_DETAIL/29487.HTML?SPM=5176.DOC48835.6.550.23OQBL

Gateway Console: https://apigateway.console.aliyun.com/?spm=5176.doc42740.2.2.Q4z5ws#/cn-hangzhou/apis/list

Reference Link:https://help.aliyun.com/document_detail/48019.html?spm=5176.doc29487.6.580.NFBkpz

First, the configuration center

1. When configuring the API, divide all APIs into two categories, "Get Authorization Token API" and "Business Access API".

2. The "API for authorized tokens" is used for the client to obtain tokens. When configuring the API for authorized tokens, specify the key corresponding to the token and the public key that resolves the token.

3, "Business Access API" actual business API, call to carry tokens. When you configure the Business Access API, you specify the request token name. The API gateway automatically verifies that the Appkey and tokens of this request are legitimate when the client calls such APIs to reach the API gateway.

second, the business process

1, the client calls the "Get authorization API", the process of obtaining token

1.1. The client uses your "Appkey signature" + "username/password" to invoke the "get authorization" API to obtain (encrypted) Token username/password is extremely sensitive information, the transmission of plaintext in the network is a risk, it is recommended to re-encrypt the user name password before transmission, and use HTTPS Protocol transfer.

1.2, the API Gateway receives the request, first authentication your Appkey, after the authentication passes, invokes the backend service's account system to authenticate you to pass the "User name/password".

1.3, after the authentication of the backend service, according to the encryption method provided by the gateway, the issuing token is returned to the client, and subsequent clients can invoke the "Business API" by Token.

2, the client calls the business class API, to achieve business functions

2.1, the client uses the "Get authorization API" to get tokens and signed Appkey to invoke the "business API." (Call API Please refer to: Call API)

2.2, API gateway authentication, parsing token content, and the token contained in the user information passed to the backend.

third, authentication server as and resource server Rs

1, authentication server, responsible for generating id_token and managing public key private key to authentication server, receiving gateway request (U+P), performing u+p authentication. Authentication success: Return token (contains user information) authentication failed: Return error message Note: Id_token must conform to the specifications in the OIDC (1.0 version) protocol.

1.1, as in the use of OIDC to generate Id_token instructions Id_token, also known as the ID token, is defined in the OIDC protocol, a token, detailed content see OpenID Connect Core 1.0. Id_token generation requires KeyPair, KeyId and Claims (for more information on Claims please visit id_token).

(1) KeyId

The KeyId must be guaranteed to be unique, such as a random string of at least 32 bits generated using the UUID, which can be all numbers or numbers + letters.

Reference Example (JAVA)

String keyId = Uuid.randomuuid (). toString (). ReplaceAll ("-", "");

String keyId = string.valueof (Uuid.randomuuid (). Getmostsignificantbits ()) + string.valueof (Uuid.randomuuid (). Getmostsignificantbits ());

(2) KeyPair

KeyPair is a public key combination of asymmetric algorithm based on PKI system, each pair includes public key (PublicKey) and private key (Privatekey);

The public key is placed in RS, used in the checksum (verify), the private key is placed in as, and the digital signature is used when generating id_token;

KeyPair uses RSA SHA256 encryption algorithm, in order to guarantee enough security its encrypted number of bits is 2048;

the KeyPair used in as are all JSON-formatted data . examples are as follows:

PublicKey:

{"Kty": "RSA", "Kid": "67174182967979709913950471789226181721", "ALG": "ES256", "N": " Oh5wunqaqiopfofbz9rfbvviicmk0wdjagacrokfiljscq8n\_ Nrexgbcmlu-dscuwq7xmnp1zsqw-xbs2-xey4w4l2q7rx3qdwy0cp8py83hqxtz6-8gerjm\_ 0yozr4wo4plivvwt96-mxn3zgk8kmaeotks0zs0pymb4eeoxffngfqjcthuo2pimf0imxieww5wcdrez1v8rw72wdeflptljeopp1fsfyg3oidbtyoqowd1yq Ef5nk2tqn\_7pyrgrksk3bppw4s9axhbgrpwscrwybkybmejst8mq4agcore3npmp-e6rxa5jlq4axxrwc0t458livhypwhdqejuw "," E ":" Aqab "}

Privatekey:

{"Kty": "RSA", "Kid": "67174182967979709913950471789226181721", "ALG": "ES256", "N": " Oh5wunqaqiopfofbz9rfbvviicmk0wdjagacrokfiljscq8n\_ Nrexgbcmlu-dscuwq7xmnp1zsqw-xbs2-xey4w4l2q7rx3qdwy0cp8py83hqxtz6-8gerjm\_ 0yozr4wo4plivvwt96-mxn3zgk8kmaeotks0zs0pymb4eeoxffngfqjcthuo2pimf0imxieww5wcdrez1v8rw72wdeflptljeopp1fsfyg3oidbtyoqowd1yq Ef5nk2tqn\_7pyrgrksk3bppw4s9axhbgrpwscrwybkybmejst8mq4agcore3npmp-e6rxa5jlq4axxrwc0t458livhypwhdqejuw "," E ":" Aqab "," D ":" Aqshnlnok-1xxghw2kp5jtzyjzsiwt-enfqqjfpuzmlyscnav4t39chkpkch2utd7hrtsn6zo4ntny8ezgqqb9yvunaiebwukpyj6km3rdlkkglvvtp0srwpc Z2eayblsmad9jkyrtmdc0rtf9jerzt3lmlc7xwbnpc3wal8rsrdr1cgs\_-u4sfzfttsaubjdd9hd0q4nfldcvozoq\_ 8wkzxywdaqgce6gccbu6n81ftp2csvbibj7dst\_4x2nyua2kg8vyzycwvintxqzk4ipfdn2yqz\_ 9amtzmmhvuglmtvaje5ebbqcqkas0nfhoqhg2ur46ebkby\_oyvolohsq "," P ":" 8tdo3dcs-0t9jmtm0lyqprp4wyjs37rv6s-ygrui2mi\_ Hadty9i2a199jmyw7fjke\_ Wa3gqjla98pbybdlwkroxxbkekwe4uc4-funjlbutc5tqdm5-nxmpl887urevynk8fuzvwexytcncb7olw5l8ypj1tr8ancd0fjndkh98 "," Q " : "Qlrrgstszzbkdgdi1xlcoyvoM76cbmxrcuk-mc\_ Kbrhfmjlhosxfunabxqibe4eajekvfijlqrhfvidjqb3km9ylmwmcu9f8u9dhrt8j7lsdllqdaxuim2oiktw3baabpuir7svmfcub5bacebhu487yymjcbtfe Cztfdi6c4w0 "," DP ":" Gvcrokonsjiqcg-s6x4j-saal016jjsw-7qeye6uimhqr\_6ij\_ Ud1v8vuec-rxaityc6sbsh24oeqsnog7ndaw7w912uvdwvjwjkqfcjdju0v4oniitoskcpvm8m0tdub1qzojumcwwrysjjnswcvaqa7jobad-h6i8aqt39tcu "," DQ ":" Bckmqjrg2zhnjzo2gjw\_asfjz8iho7chci98ldld03bb9oc\_kcyedmlgdr8d7j3h-llqnoqgbmn\_ Zegy1l7oy3wpg9tewqedepyk0jwb7rbk79hn8l1cqyblvlk5oi-uycaihkwrq4racz9huyrxkloz5vvlbixznfxrzbhvplk "," Qi ":" M5ncvjsegf\_kp8kqlaudxuzi\_6x8t-owtsg\_gb9xyvgncsbhw8gccrocoy1xa0kmottwjl1askcu-tzhojmrdegpvkdulwmbicnja\_ FGFLP4LAJ4TCWMTRI6982HNC3XP2E-NF\_Z2XSPNIUOACTY7W042D\_CAJYYX\_TBEJAGOXM "} Sample code (JAVA) String keyId = Uuid.randomuuid (). toString (). ReplaceAll ("-", "" "); Rsajsonwebkey jwk = RSAJWKGENERATOR.GENERATEJWK (2048); Jwk.setkeyid (KEYID); Jwk.setalgorithm (algorithmidentifiers.ecdsa\_using\_p256\_curve\_and\_sha256); String PublicKey = Jwk.tojson (jsonwebkey.outputcontrollevel.public\_oNLY); String Privatekey = Jwk.tojson (jsonwebkey.outputcontrollevel.include\_private); (3) Claims by the Claims attribute defined in the OIDC protocol (AUD, Sub, exp, IAT, ISS) with its attribute value, generate Claims (full name Jwtclaims) sample code (JAVA) jwtclaims Claims = NE W Jwtclaims (); Claims.setgeneratedjwtid (); Claims.setissuedattonow (); Expire time Numericdate date = Numericdate.now (); Date.addseconds (120); Claims.setexpirationtime (date); Claims.setnotbeforeminutesinthepast (1); Claims.setsubject ("Your_subject"); Claims.setaudience ("Your_audience"); Add custom parameter Claims.setclaim (key, value); (4) Generate JWs (Json Web Signature) sample code (JAVA) Jsonwebsignature JWs = new by KeyId, Claims, Privatekey with the digital Signature algorithm used (RSA SHA256) Jsonwebsignature (); Jws.setalgorithmheadervalue (algorithmidentifiers.rsa\_using\_sha256); Jws.setkeyidheadervalue (KEYID); Ws.setpayload (Claims.tojson ()); Privatekey Privatekey = new Rsajsonwebkey (Jsonutil.parsejson (Privatekeytext)). Getprivatekey (); Jws.setkey (Privatekey); (5) Get Id_token value through JWS sample code (JAVA) String Idtoken = Jws.getcompactserIalization (); An example of a generated Id_token: eyjhbgcioijsuzi1niisimtpzci6ijg4ndgznzi3ntu2oti5mzi2nzazmza5ota0mzuxmtg1ode1ndg5in0.eyj1c2vyswqioiizmzcwmtu0nda2odi1oty4n Ji3iiwidgfntmftzsi6imnvbmfuvgvzdcisimv4cci6mtq4mdu5njg3oswiyxvkijoiqwxpx0fqsv9vc2vyiiwianrpijoitm9dmfvvew5xv0n0rufevjnoee Iydyisimlhdci6mtq4mdu5mzi3oswibmjmijoxndgwntkzmje5lcjzdwiioij7zgf0yu1hcd0ne3vzzxjjzd0zmzcwmtu0nda2odi1oty4nji3fscsihn0yxr 1c0nvzgu9jzanlcblcnjvcnm9j1tdj30ifq.v3ru2vczist6utgdcktyrsiwkmemso_juhncciw_ Sp4qq5exjtwnt9h9mtgkfrujk2z1e0k36smwf9pbngtztwmsyn8rvcqqdsupcc6lu9r8jrea1rw1cmmewy4hsfbfeinr1wcfrefzl6_ Qotf3raksk9aowhzesnyrkayuc297gmv8qlqdevawu75qtg8j8ii3hzpjqtx67etenchzfhxn8wjjckl5shz2xppymqj8cgrq1wrzehjumnpw-unrukt6nem0 Ursqcjlrq25l8pel2tns7ngvdl6is7nasbj8fsermkczbp2rfzozfkjuaivd306cjipqwxfs1u2bew

2, the resource server RS, is responsible for verifying the id_token, and resolves the corresponding information Consumer with Id_token parameters to request API Gateway.

The API gateway saves the public key used by the checksum, validates and parses the Id_token to get the User information passed to Provider, and returns the error message if the validation fails.

The Provider processes the request and returns the result to the API gateway. API Gateway Provider Response results to Consumer.

Note: RS serves as the Id_token consumer role throughout the system, and only id_token verification passes to forward requests to Provider.

Api-gateway Practice (10) New service gateway-OpenID Connect