kong的多种认证方式设置

Posted 2023-02-05 louisliao_1981

1.新建一个用于认证验证的consumer

(1).新建consumer

curl -X POST --url http://localhost:8001/consumers/ --data "username=auth_user"

返回如下

  "custom_id":null,
  "created_at":1566380171,
  "username":"auth_user",
  "id":"f1b6c168-f6e3-482e-a477-2d09d14dce8b"

(2).为该consumer生成key-auth认证秘钥

curl -X POST --url http://localhost:8001/consumers/auth_user/key-auth/

返回

  "key": "PDKhYhkbjfZueFBQ7qe3nOYuWiUdOiiN",
  "created_at": 1566382283,
  "consumer": 
    "id": "f1b6c168-f6e3-482e-a477-2d09d14dce8b"
  ,
  "id": "f8edga25-5e18-4ec1-a41d-b4fc9ea20208"
  

可以通过接口/key-auths查看所有消费者的秘钥，通过/consumers/consumer/key-auth接口查看指定消费者的秘钥。

(3).为该consumer生成jwt认证秘钥

curl -X POST --url http://localhost:8001/consumers/auth_user/jwt -H "Content-Type: application/x-www-form-urlencoded"

返回

  "rsa_public_key": null,
  "created_at": 1566382780,
  "consumer": 
    "id": "f1b6c168-f6e3-482e-a477-2d09d14dce8b"
  ,
  "id": "c0296bae-b9bd-4835-b433-95dff237bb4b",
  "algorithm": "HS256",
  "secret": "EGUUr9v99DMGwIk9SpBxvigjzFi5GsBZ",
  "key": "GiweuLOEAwSO9cxkibug7MaBfdJE4NPB"

2.再新建一个consumer用于识别匿名用户

curl -X POST --url http://localhost:8001/consumers/ --data "username=anonymous"

返回

  "custom_id": null,
  "created_at": 1566388995,
  "username": "anonymous",
  "id": "958e85d7-e39d-4d2c-b8a9-888e25dbeed5"

3.为route或service 启用多个认证插件

1.为服务example-service 启用 key-auth 认证

 curl -i -X POST \\
  --url http://localhost:8001/services/example-service/plugins/ \\
  --data 'name=key-auth'

返回

  "created_at": 1566381363,
  "config": 
    "key_names": [
      "apikey"
    ],
    "run_on_preflight": true,
    "anonymous": null,
    "hide_credentials": false,
    "key_in_body": false
  ,
  "id": "947db416-1f3a-4a54-a5ff-75b6a55206d7",
  ...
  "name": "key-auth"

2.为服务启用JWT认证

curl -i -X POST \\
  --url http://localhost:8001/services/example-service/plugins/ \\
  --data 'name=jwt'

返回

  "created_at": 1566383438,
  "config": 
    "secret_is_base64": false,
    "key_claim_name": "iss",
    "cookie_names": [],
    "maximum_expiration": 0,
    "claims_to_verify": null,
    "anonymous": null,
    "run_on_preflight": true,
    "uri_param_names": [
      "jwt"
    ]
  ,
  "id": "fc54429b-73cd-4215-8f4d-35a21c6a389e",
  ...
  "name": "jwt"

3.为添加的认证插件启用匿名访问

因为添加多个认证插件后，默认情况下是需要多个插件同时满足，才算认证成功的。所以如果要使多个认证的关系为“或”的关系，那么第一步就必须为插件启用匿名访问

key-auth插件启用匿名访问，插件id为947db416-1f3a-4a54-a5ff-75b6a55206d7，匿名用户id为958e85d7-e39d-4d2c-b8a9-888e25dbeed5

 curl -X PATCH --url http://localhost:8001/services/example-service/plugins/947db416-1f3a-4a54-a5ff-75b6a55206d7/ \\
 --data "config.anonymous=958e85d7-e39d-4d2c-b8a9-888e25dbeed5"

jwt插件启用匿名访问，插件id为fc54429b-73cd-4215-8f4d-35a21c6a389e，匿名用户id为958e85d7-e39d-4d2c-b8a9-888e25dbeed5

curl -X PATCH --url http://localhost:8001/plugins/fc54429b-73cd-4215-8f4d-35a21c6a389e/ \\
--data "config.anonymous=958e85d7-e39d-4d2c-b8a9-888e25dbeed5"

4.拦截匿名访问

经过上面步骤后，虽然能够使多个认证之间为“或”的关系，但是也允许了匿名用户的访问（即不需认证也可以访问），所以还需要拦截匿名用户。这里使用request-termination插件

(1).启用插件

curl -X POST http://localhost:8001/services/example-service/plugins/ \\
--data "name=request-termination" \\
--data "config.status_code=401" \\
--data "config.content_type=application/json; charset=utf-8" \\
--data "config.body=\\"message\\": \\"Authentication required\\""

(2).匿名消费者anonymous启用该拦截插件

匿名消费者anonymous启用该拦截插件，插件id为e5ff19cf-006d-4fcd-ae00-5837bc5d6938，匿名消费者id为958e85d7-e39d-4d2c-b8a9-888e25dbeed5

curl -X PATCH http://localhost:8001/plugins/e5ff19cf-006d-4fcd-ae00-5837bc5d6938/ \\
--data "consumer.id=958e85d7-e39d-4d2c-b8a9-888e25dbeed5"

需要特别注意的是config.anonymous的值是第2步创建的匿名消费用户的id，而不是第一步创建的消费用户的id

官方文档

Multiple Authentication
Kong supports multiple authentication plugins for a given Service, allowing different clients to utilize different authentication methods to access a given Service or Route.

The behaviour of the auth plugins can be set to do either a logical AND, or a logical OR when evaluating multiple authentication credentials. The key to the behaviour is the config.anonymous property.

config.anonymous not set
If this property is not set (empty), then the auth plugins will always perform authentication and return a 40x response if not validated. This results in a logical AND when multiple auth plugins are being invoked.
config.anonymous set to a valid consumer id
In this case, the auth plugin will only perform authentication if it was not already authenticated. When authentication fails, it will not return a 40x response, but set the anonymous consumer as the consumer. This results in a logical OR + ‘anonymous access’ when multiple auth plugins are being invoked.
NOTE 1: Either all or none of the auth plugins must be configured for anonymous access. The behaviour is undefined if they are mixed.

NOTE 2: When using the AND method, the last plugin executed will be the one setting the credentials passed to the upstream service. With the OR method, it will be the first plugin that successfully authenticates the consumer, or the last plugin that will set its configured anonymous consumer.

NOTE 3: When using the OAuth2 plugin in an AND fashion, then also the OAuth2 endpoints for requesting tokens and so forth will require authentication by the other configured auth plugins.