如何在 WSO2 APIM 中为外部/第三方 API 处理外部身份验证 [英] How the external authentication handled in WSO2 APIM for an external/Third Party APIs
问题描述
我正在使用 WSO2 APIM (2.5.0) 和 IS (5.6.0).它们都集成在一起并且运行良好.
I am using WSO2 APIM (2.5.0) and IS (5.6.0). They both are integrated and working well.
现在,如果我在 API 管理中加入第三方 API 并使用 oauth 令牌,我就可以访问它.但问题是如何处理任何具有自己身份验证的外部或第三方 API.
Now, if I onboard an third party API in API Management and using oauth token I can be able to access it. But question is how to handle any external or third party APIs which has its own authentication.
基本上,使用 WSO2 APIM 令牌,我可以访问要使用的载入 API,但我们将无法获得任何响应,因为载入的 API 有自己的身份验证(基本或 oauth).
SO basically, using WSO2 APIM token I can be able to access the onboarded API to use but we will not be able to get any response as the onboarded API has its own authentication (basic or oauth).
如何在 APIM 中实现这一点.
How to achieve this in APIM.
任何帮助或指导都会有所帮助.
Any help or guidance will be helpful.
这是我正在使用的序列(感谢 Bee 的指导)
Here is the sequence I am using (Thanks Bee for the guidance)
<sequence xmlns="http://ws.apache.org/ns/synapse" name="backend-token-sequence">
<property name="inputmessage" expression="get-property('registry', 'gov:/Login/msg/inputmessage.json')" scope="default" type="STRING"/>
<script language="js">
var payload = mc.getProperty("inputmessage");
mc.setPayloadJSON(payload)
</script>
<header name="Content-Type" scope="transport" value="application/json"/>
<property name="messageType" value="application/json" scope="axis2" type="STRING" description="messageType"/>
<property name="temp" expression="$axis2:REST_URL_POSTFIX"/>
<property name="REST_URL_POSTFIX" action="remove" scope="axis2"/>
<property name="DISABLE_CHUNKING" value="true" scope="axis2" type="STRING"/>
<call blocking="true">
<endpoint>
<http uri-template="https://xx.com/auth/login" method="POST" />
</endpoint>
</call>
<property name="x-access-token" scope="transport" expression="json-eval($.token)"/>
<property name="REST_URL_POSTFIX" scope="axis2" expression="$ctx:temp"/>
</sequence>
这是用于 API 之一的流入序列.我正在使用带有 GET 方法的 APIM URL 调用 API,传递 APIM 不记名令牌
This is the inflow sequence which is being used to one of API. I am calling API using APIM URL with GET Method, passing APIM bearer token
谢谢
推荐答案
开箱即用的 WSO2 APIM 支持 基本身份验证 和摘要身份验证 作为后端安全模式.
WSO2 APIM out of the box supports basic auth and digest auth as backend security schemas.
除此之外,使用自定义序列 您可以将任何类型的安全令牌传递给后端.
In addition to that, using custom sequences you can pass any kind of security token to the backend.
对于使用 OAuth 的后端,您有 2 个选项.
For backends with OAuth, you have 2 options.
(1) 在 API 请求中也发送后端令牌(入站到 APIM),然后将其转发到后端.
(1) Send backend token as well in the API request (inbound to APIM) and then forward it to the backend.
(2) 使用自定义序列调用外部令牌 API 并为后端获取新令牌,然后将其转发到后端.
(2) Use a custom sequence to call the external token API and take a new token for the backend and then forward it to the backend.
<property name="temp" expression="$axis2:REST_URL_POSTFIX"/>
<property name="REST_URL_POSTFIX" action="remove" scope="axis2"/>
<call blocking="true">
<endpoint>
<http uri-template="https://external_idp.com/token" method="GET" />
</endpoint>
</call>
<property name="BackendAuthHeader" scope="transport" expression="json-eval($.tokenresponse.token)"/>
<property name="REST_URL_POSTFIX" scope="axis2" expression="$ctx:temp"/>
我推荐 (1),因为它很简单.
I recommend (1) due to its simplicity.
更多关于选项(1):
如果您的后端需要除授权"标头之外的其他标头,您只需将该标头与您的请求一起发送,它就会被发送到后端.
If your backend expects a header something other than "Authorization" header you can simply send that header with your requests and it will be sent to the backend.
但是,如果您的后端也需要授权"标头,那么它就会成为冲突,因为您不能使用相同的标头来传递 2 个令牌(1 个用于 GW,1 个用于后端).要解决该问题,您可以使用网关的自定义授权标头 功能.
However, if your backend also expects the "Authorization" header, then it becomes a conflict as you can't use the same header to pass 2 tokens (1 for GW and 1 for backend). To solve that problem, you can use the custom authorization header for gateway feature.
这篇关于如何在 WSO2 APIM 中为外部/第三方 API 处理外部身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
