Permission verification | API Management System | Open Platform Management System

# Overview

For interfaces exposed through the gateway, routing must be configured.

Permission verification is the authentication of the client requesting the interface to confirm whether it can access the interface.

The client can indicate its identity through the fizz-appid request header, that is, what application it is.

The management background can configure the authentication method of the application. Currently, it supports three methods: md5, key, and custom.

Routes can be associated with applications, i.e. client authentication for access interfaces.

Based on the example of "routing-reverse proxy", the following introduces the definition of the application and the three authentication methods.

# Application definition

Management background definition application client-app-1:

# Configure authentication

# Key authentication

The above configuration: For clients with the request header fizz-appid=client-app-1, the gateway will check whether the fizz-sign request header is the key in the figure.

# md5 certification

The above configuration: gateway MD5 [client-app-1 + fizz-ts (timestamp, milliseconds) + 95c6990e07714a63aba8354fa6544701], check whether the previous value is consistent with the fizz-sign passed by the client.

# customize

Select "Custom plug-in" as the authentication method, inherit AbstractCustomAuth.java in the gateway code, and implement

public abstract Mono<Result<?>> auth(String appId, String ip, String timestamp, String sign, App fizzAppConfig, ServerWebExchange exchange);
// appId: client-app-1
// ip: client ip
// timestamp: fizz-ts
// sign: fizz-sign
// fizzAppConfig: application configuration

The implementation class is marked @Component, and the gateway needs to be restarted, such as:

@Component
public class MyAuth extends AbstractCustomAuth {

     @Override
     public Mono<Result<?>> auth(String appId, String ip, String timestamp, String sign, App fizzAppConfig, ServerWebExchange exchange) {
         if (fizzAppConfig.secretkey.equals(sign)) {
             return Mono.just(Result.succ()); // Authentication passed
         }
         return Mono.just(Result.fail("Incorrect key")); // Respond to the client "Incorrect key"
     }
}

# Routing configuration

In the "routing-reverse proxy" example:

After selecting client-app-1 and saving:

After this configuration: only the client-app-1 client can access aservice/a/b, and the gateway will verify the request based on the authentication method of client-app-1.

# Introduction to FizzGate Integration Platform

FizzGate is a microservice aggregation gateway developed based on Java. It can achieve hot service orchestration and aggregation, automatic authorization selection, online service script coding, online testing, high-performance routing, API audit management, callback management, etc., and has powerful customization The plug-in system can be expanded by itself and provides a friendly graphical configuration interface, which can quickly help enterprises manage API services, reduce middle-layer glue codes, reduce coding investment, and improve the stability and security of API services.

Official website: https://www.fizzgate.com (opens new window)

GitHub: https://github.com/fizzgate/fizz-gateway-node (opens new window)

Code cloud: https://gitee.com/fizzgate/fizz-gateway (opens new window)

Getting Started Tutorial: https://www.fizzgate.com/fizz/guide/GettingStarted/ (opens new window)

Author: lancer

← First experience with routing Quickly aggregate multiple interfaces →