使用Zuul作为身份验证网关 [英] Using Zuul as an authentication gateway
问题描述
背景
我想实现此文章.
可以通过下图进行总结:
It can be summarised by the diagram below:
- 客户端首先通过IDP(OpenID Connect/OAuth2)进行身份验证
- IDP返回访问令牌(不带用户信息的不透明令牌)
- 客户端通过API网关使用Authorization标头中的访问令牌进行调用
- API网关使用访问令牌向IDP发送请求
- IDP验证访问令牌是否有效,并以JSON格式返回用户信息
- API网关将用户信息存储在JWT中,并使用私钥对其进行签名.然后,将JWT传递到下游服务,该服务使用公共密钥验证JWT
- 如果服务必须调用另一个服务来满足请求,则它将传递JWT,该JWT充当请求的身份验证和授权
我到目前为止所拥有的
我大部分使用以下方法完成:
I have most of that done using:
- 春季云作为全球框架
- 春季启动以启动单个服务
- Netflix Zuul作为API网关
我还编写了Zuul PRE过滤器,用于检查访问令牌,联系IDP并创建JWT.然后,将JWT添加到转发到下游服务的请求的标头中.
I have also written a Zuul PRE filter that checks for an Access Token, contacts the IDP and create a JWT. The JWT is then added to the header for the request forwarded to the downstream service.
问题
现在我的问题非常针对Zuul及其过滤器.如果API网关中的身份验证由于任何原因失败,我如何才能停止路由并直接使用401进行响应,而无需继续过滤链并转发呼叫?
Now my question is quite specific to Zuul and its filters. If authentication fails in the API gateway for any reason, how can I can stop the routing and respond directly with a 401 without continuing the filter chain and forwarding the call?
目前,如果身份验证失败,则过滤器不会将JWT添加到标头中,而401将来自下游服务.我希望我的网关可以阻止此不必要的呼叫.
At the moment if authentication fails the filter won't add the JWT to the header and the 401 will come from the downstream service. I was hoping my gateway could prevent this unnecessary call.
我试图看看如何使用com.netflix.zuul.context.RequestContext来做到这一点,但是文档却很贫乏,我找不到方法.
I tried to see how I could use com.netflix.zuul.context.RequestContextto do this but the documentation is quite poor and I couldn't find a way.
推荐答案
您可以尝试在当前上下文中设置setSendZuulResponse(false).这不应路由请求.您也可以从上下文中调用removeRouteHost(),这将达到相同的效果.您可以使用setResponseStatusCode设置401状态代码.
You could try setting setSendZuulResponse(false) in the current context. This should not route the request. You could also call removeRouteHost() from the context, which would achieve the same. You could usesetResponseStatusCode to set the 401 status code.
这篇关于使用Zuul作为身份验证网关的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
