OAuth2.0

Last updated: 2020-09-25 14:17:20

    Overview

    This topic describes how to configure OAuth 2.0 authorization access for APIs in the API Gateway console to meet your personalized security setting needs.

    OAuth 2.0 Overview

    OAuth 2.0 is an open authorization standard that enables you to allow third-party applications to access your specific private resources in a service without providing the account and password to the applications. OAuth 2.0 is an authorization protocol rather than an authentication protocol.

    OAuth 2.0 roles

    OAuth 2.0 has the following 4 roles:

    Role Description
    Resource owner Owner of the resource
    Resource server Server where the resource is stored
    Client Third-party application client, which can be any third-party application that can consume the resource server
    Authorization server Intermediate layer that manages the above 3 roles

    OAuth 2.0 authorization process


    (A) The client initiates a request to the resource owner for authorization.
    (B) The resource owner approves the authorization.
    (C) The client applies to the authorization server for an authorization token after getting the resource owner's authorization.
    (D) The authorization server grants the authorization token after authenticating the client.
    (E) The client requests the resource server to send the user information after getting the authorization token.
    (F) The resource server sends the user information to the client after verifying that the token is correct.

    Prerequisites

    • An authorization server for distributing tokens is available. (You need to build an authorization server. The API Gateway provides the Python3 Demo and the Golang Demo for your reference.)
    • You have created an API Gateway service (for more information, see Creating Services).

    Directions

    Step 1: build an authorization server (Python3 Demo is used as an example).

    1. Download the Python3 Demo from the official repository of the API Gateway.
    2. Generate the RSA public and private keys and run produce_key.py in Python 3 to generate 3 files:
      • public_pem: public key in PEM format
      • priv_pem: private key in PEM format
      • pulic: public key in JSON format. The file content is used to configure the authorization API of API Gateway and is in the following format:
        {"e":"AQAB","kty":"RSA","n":"43nSuC6lmGLogEPgFVwaaxAmPDzmZcocRB4Jed_dHc-sV7rcAcNB0iHyuGfNkfOAE2uhHVjdXuO6DBYGz4pnTwRZ5_wFrW0DlrlJQAXSvg6B2N1uda_aqySNw3rrvdh38rVG7HxFmyPbLXcpJtyfkiRNyZ1WhSpH0NciIRrFbW2mKRtOZsBGfBgmNqPGcGrMA71cuqNAQ9RMKmAF37iGXkx0tWMBQ_PL2aviHhtsiPbT3zIO7qUG3cleBHnS61kid3K8F38z9-5Hj-1zdTIP8iS4rAt4FmhvKvtOocRPYGq0W_dLLxmi4DYgIV2GJE93WyZ1EUvgRGhpcHvyT65z4w"}
    3. Start the service. After installing the bottle library by running pip3 install bottle, run server.py in Python 3 to generate a token. Then, you can simply check whether the token is successfully generated.
      curl localhost:8080/token 
      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTIyNzgwODksImZvbyI6ImJhciIsImlhdCI6MTU5MjI3Nzc4OSwianRpIjoibFY1TS10S2oxMEdtV0pJcHotM01GUSIsIm5iZiI6MTU5MjI3Nzc4OSwid3VwIjo5MH0.aHyZo2jgkNxVRDMtEiRBU4-n0pMfa0gocu92KQBe-nmbFoeI_5EWTJ8XFNnSIuoCAIFvrd9MSUX2DNVTg0woXukjoKOTjZSx4txknaXs1aApdvW74FVddCrMtdLrKh_VlwPOrEaOGesmtfcR3RN8xWnj1oedPW-HKPEqVpIAIIWO8ilCBFF-5yffcnFGIbfYO0t7OeBBviCQnQjWAmQHnteOZm0CBeG22k7rlnjH96qE_kyq7DHQqGmURjlpGxoXRC6E-AiV-3mYrCGnsAosEltuIUtq8VIbTZabSobFDE92C8us4GFtIVJQB2NWgeB3Hxgpz3Dlb4NCCcCkZbryEQ

    Step 2: configure a Tencent Cloud API Gateway authorization API.

    1. In the created service, create an authorization API (for more information, see Creating a General API). When you are configuring the frontend, select OAuth 2.0 as the authentication type and Authorization API as the OAuth mode.
    2. When you are configuring the backend, select your own server address as the authentication server, select Header as the token location, and enter the content in the public file generated by running produce_key.py as the public key. After the API is created, click Complete.

    Step 3: configure a Tencent Cloud API Gateway business API.

    1. In the authorization API service, create a business API (for more information, see Creating a General API). When you are configuring the frontend, select OAuth 2.0 as the authentication type, Business API as the OAuth mode, and the created authorization API as the associated authorization API.

    2. When you are configuring the backend, select mock as the backend type and enter hello world as the returned data.

    Step 4: perform verification.

    1. Request the authorization API to get the token:
      curl http://service-cmrrdq86-1251890925.gz.apigw.tencentcs.com:80/token
      Returned result:
      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTIyNzk3MTAsImZvbyI6ImJhciIsImlhdCI6MTU5MjI3OTQxMCwianRpIjoiZlBGYlFZRkR4REx3d0lXTFl0aHBBQSIsIm5iZiI6MTU5MjI3OTQxMCwid3VwIjo5MH0.0JQquNRVCQ8n9hPV-mJi6Mku_7G3T1jFp68Sk2AYBijpzzBMQ1KOcREyo9G6QOpvdctynGOAPkL3cwqeTzkFhWgGj633pu_MdLjlectEBMGyVQIv6pL8OBMCHMQzTUTpHWJ_NoUkLpRLKGqZFFcXW8q7v4KeCbf8xHUa9OCH5VF2JxYOnFWDVgucSqao06r0Jaq64LDwKIhLw77ujheKpcBjRrf1kqoIpqk2qhb8CzxM36g_DawMadzKmX49dT-k7auNnI2xUtu5CZdXZ3lSmLeicXfGjc66rrH_acqUqipZRKeeQ5F3Ma467jPQaTeOKiCMHwS2_yp-sXNU2GzxOA

      Note:

      You can get the token using either of the following methods: 1. send a request to the API Gateway authorization API address to get the token; 2. quickly get the token directly from the authorization server. The first method is used in this document to protect the authorization server.

    2. Use the token to request the business API. As you can see, the business API can be requested successfully.
      curl http://service-cmrrdq86-1251890925.gz.apigw.tencentcs.com:80/work -H'Authorization:Bearer id_token="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTIyNzk3MTAsImZvbyI6ImJhciIsImlhdCI6MTU5MjI3OTQxMCwianRpIjoiZlBGYlFZRkR4REx3d0lXTFl0aHBBQSIsIm5iZiI6MTU5MjI3OTQxMCwid3VwIjo5MH0.0JQquNRVCQ8n9hPV-mJi6Mku_7G3T1jFp68Sk2AYBijpzzBMQ1KOcREyo9G6QOpvdctynGOAPkL3cwqeTzkFhWgGj633pu_MdLjlectEBMGyVQIv6pL8OBMCHMQzTUTpHWJ_NoUkLpRLKGqZFFcXW8q7v4KeCbf8xHUa9OCH5VF2JxYOnFWDVgucSqao06r0Jaq64LDwKIhLw77ujheKpcBjRrf1kqoIpqk2qhb8CzxM36g_DawMadzKmX49dT-k7auNnI2xUtu5CZdXZ3lSmLeicXfGjc66rrH_acqUqipZRKeeQ5F3Ma467jPQaTeOKiCMHwS2_yp-sXNU2GzxOA"'
      Returned result:
      hello world

    Using the authorization code to get the token

    In the sample above, no authorization code is used to get the token. To ensure that only specified users can get the token, the authorization code needs to be obtained from the resource owner according to the authorization process. As can be seen in the server.py file, you can first request the authorization code path to get the code and then register the distributed code to verify its validity when getting the token.

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help