- Release Notes
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Instance Selection
- Service Management
- API Creation
- API Management
- API Calling
- Release and Access
- Custom Domain Name and Certificate
- Usage Plan
- Authentication and Security
- Log Analysis
- Access Monitoring
- API Documentation
- Application Management
- Permission Management
- Precautions
- Private IP Ranges and Public VIPs of API Gateway Regions
- Plugin Usage
- Best Practice
- Development Guide
- API Documentation
- Legacy Features
- FAQs
- Service Level Agreement
- Glossary
- Release Notes
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Instance Selection
- Service Management
- API Creation
- API Management
- API Calling
- Release and Access
- Custom Domain Name and Certificate
- Usage Plan
- Authentication and Security
- Log Analysis
- Access Monitoring
- API Documentation
- Application Management
- Permission Management
- Precautions
- Private IP Ranges and Public VIPs of API Gateway Regions
- Plugin Usage
- Best Practice
- Development Guide
- API Documentation
- Legacy Features
- FAQs
- Service Level Agreement
- Glossary
Overview
This topic describes how to configure OAuth 2.0 authorization access for APIs in the API Gateway console to meet your personalized security setting needs.
OAuth 2.0 Overview
OAuth 2.0 is an open authorization standard that enables you to allow third-party applications to access your specific private resources in a service without providing the account and password to the applications. OAuth 2.0 is an authorization protocol rather than an authentication protocol.
OAuth 2.0 roles
OAuth 2.0 has the following 4 roles:
| Role | Description |
|---|---|
| Resource owner | Owner of the resource |
| Resource server | Server where the resource is stored |
| Client | Third-party application client, which can be any third-party application that can consume the resource server |
| Authorization server | Intermediate layer that manages the above 3 roles |
OAuth 2.0 authorization process
(A) The client initiates a request to the resource owner for authorization.
(B) The resource owner approves the authorization.
(C) The client applies to the authorization server for an authorization token after getting the resource owner's authorization.
(D) The authorization server grants the authorization token after authenticating the client.
(E) The client requests the resource server to send the user information after getting the authorization token.
(F) The resource server sends the user information to the client after verifying that the token is correct.
Prerequisites
- An authorization server for distributing tokens is available. (You need to build an authorization server. The API Gateway provides the Python3 Demo and the Golang Demo for your reference.)
- You have created an API Gateway service (for more information, see Creating Services).
Directions
Step 1: build an authorization server (Python3 Demo is used as an example).
- Download the Python3 Demo from the official repository of the API Gateway.
- Generate the RSA public and private keys and run
produce_key.pyin Python 3 to generate 3 files:
- public_pem: public key in PEM format
- priv_pem: private key in PEM format
- pulic: public key in JSON format. The file content is used to configure the authorization API of API Gateway and is in the following format:
{"e":"AQAB","kty":"RSA","n":"43nSuC6lmGLogEPgFVwaaxAmPDzmZcocRB4Jed_dHc-sV7rcAcNB0iHyuGfNkfOAE2uhHVjdXuO6DBYGz4pnTwRZ5_wFrW0DlrlJQAXSvg6B2N1uda_aqySNw3rrvdh38rVG7HxFmyPbLXcpJtyfkiRNyZ1WhSpH0NciIRrFbW2mKRtOZsBGfBgmNqPGcGrMA71cuqNAQ9RMKmAF37iGXkx0tWMBQ_PL2aviHhtsiPbT3zIO7qUG3cleBHnS61kid3K8F38z9-5Hj-1zdTIP8iS4rAt4FmhvKvtOocRPYGq0W_dLLxmi4DYgIV2GJE93WyZ1EUvgRGhpcHvyT65z4w"}
- Start the service. After installing the
bottlelibrary by runningpip3 install bottle, runserver.pyin Python 3 to generate a token. Then, you can simply check whether the token is successfully generated.curl localhost:8080/token eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTIyNzgwODksImZvbyI6ImJhciIsImlhdCI6MTU5MjI3Nzc4OSwianRpIjoibFY1TS10S2oxMEdtV0pJcHotM01GUSIsIm5iZiI6MTU5MjI3Nzc4OSwid3VwIjo5MH0.aHyZo2jgkNxVRDMtEiRBU4-n0pMfa0gocu92KQBe-nmbFoeI_5EWTJ8XFNnSIuoCAIFvrd9MSUX2DNVTg0woXukjoKOTjZSx4txknaXs1aApdvW74FVddCrMtdLrKh_VlwPOrEaOGesmtfcR3RN8xWnj1oedPW-HKPEqVpIAIIWO8ilCBFF-5yffcnFGIbfYO0t7OeBBviCQnQjWAmQHnteOZm0CBeG22k7rlnjH96qE_kyq7DHQqGmURjlpGxoXRC6E-AiV-3mYrCGnsAosEltuIUtq8VIbTZabSobFDE92C8us4GFtIVJQB2NWgeB3Hxgpz3Dlb4NCCcCkZbryEQ
Step 2: configure a Tencent Cloud API Gateway authorization API.
- In the created service, create an authorization API. When you are configuring the frontend, select OAuth 2.0 as the authentication type and Authorization API as the OAuth mode.
- When you are configuring the backend, select your own server address as the authentication server, select Header as the token location, and enter the content in the
publicfile generated by runningproduce_key.pyas the public key. After the API is created, click Complete.
Step 3: configure a Tencent Cloud API Gateway business API.
In the authorization API service, create a business API. When you are configuring the frontend, select OAuth 2.0 as the authentication type, Business API as the OAuth mode, and the created authorization API as the associated authorization API.
When you are configuring the backend, select mock as the backend type and enter
hello worldas the returned data.
Step 4: perform verification.
- Request the authorization API to get the token:
curl http://service-cmrrdq86-1251890925.gz.apigw.tencentcs.com:80/tokeneyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTIyNzk3MTAsImZvbyI6ImJhciIsImlhdCI6MTU5MjI3OTQxMCwianRpIjoiZlBGYlFZRkR4REx3d0lXTFl0aHBBQSIsIm5iZiI6MTU5MjI3OTQxMCwid3VwIjo5MH0.0JQquNRVCQ8n9hPV-mJi6Mku_7G3T1jFp68Sk2AYBijpzzBMQ1KOcREyo9G6QOpvdctynGOAPkL3cwqeTzkFhWgGj633pu_MdLjlectEBMGyVQIv6pL8OBMCHMQzTUTpHWJ_NoUkLpRLKGqZFFcXW8q7v4KeCbf8xHUa9OCH5VF2JxYOnFWDVgucSqao06r0Jaq64LDwKIhLw77ujheKpcBjRrf1kqoIpqk2qhb8CzxM36g_DawMadzKmX49dT-k7auNnI2xUtu5CZdXZ3lSmLeicXfGjc66rrH_acqUqipZRKeeQ5F3Ma467jPQaTeOKiCMHwS2_yp-sXNU2GzxOANote:
You can get the token using either of the following methods: 1. send a request to the API Gateway authorization API address to get the token; 2. quickly get the token directly from the authorization server. The first method is used in this document to protect the authorization server.
- Use the token to request the business API. As you can see, the business API can be requested successfully.
curl http://service-cmrrdq86-1251890925.gz.apigw.tencentcs.com:80/work -H'Authorization:Bearer id_token="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTIyNzk3MTAsImZvbyI6ImJhciIsImlhdCI6MTU5MjI3OTQxMCwianRpIjoiZlBGYlFZRkR4REx3d0lXTFl0aHBBQSIsIm5iZiI6MTU5MjI3OTQxMCwid3VwIjo5MH0.0JQquNRVCQ8n9hPV-mJi6Mku_7G3T1jFp68Sk2AYBijpzzBMQ1KOcREyo9G6QOpvdctynGOAPkL3cwqeTzkFhWgGj633pu_MdLjlectEBMGyVQIv6pL8OBMCHMQzTUTpHWJ_NoUkLpRLKGqZFFcXW8q7v4KeCbf8xHUa9OCH5VF2JxYOnFWDVgucSqao06r0Jaq64LDwKIhLw77ujheKpcBjRrf1kqoIpqk2qhb8CzxM36g_DawMadzKmX49dT-k7auNnI2xUtu5CZdXZ3lSmLeicXfGjc66rrH_acqUqipZRKeeQ5F3Ma467jPQaTeOKiCMHwS2_yp-sXNU2GzxOA"'hello world
Using the authorization code to get the token
In the sample above, no authorization code is used to get the token. To ensure that only specified users can get the token, the authorization code needs to be obtained from the resource owner according to the authorization process. As can be seen in the server.py file, you can first request the authorization code path to get the code and then register the distributed code to verify its validity when getting the token.
Yes
No
Was this page helpful?