Kong网关身份认证

认证的步骤:

  1. 启用认证插件。
  2. 创建用户。
  3. 给用户分配认证信息(扩展:账号密码 等)。
  4. 请求时,带上认证信息。

key-auth:

创建用户:

[root@localhost etc]# curl -i -X POST http://localhost:8001/consumers --data username=user1
HTTP/1.1 201 Created
Date: Fri, 02 Dec 2022 08:18:01 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Content-Length: 117
X-Kong-Admin-Latency: 24
Server: kong/3.0.1

{"custom_id":null,"tags":null,"id":"e04b610e-4bde-4eaf-88d7-ae8a874e668e","created_at":1669969081,"username":"user1"}[root@localhost etc]#

给user1 设置需要校验的key值。
  193  curl -i -X POST http://localhost:8001/consumers/user1/key-auth --data key=top-secret-key

校验key值的参数:apikey。(启用插件)
  194  curl -i -X POST http://localhost:8001/plugins --data name=key-auth --data "config.key_names=apikey"

不带key
  195  curl -i http://localhost:8000/tomcat82
带错误的key
  196  curl -i http://localhost:8000/tomcat82 -H "apikey:asdasd"
带正确的key
  197  curl -i http://localhost:8000/tomcat82 -H "apikey:top-secret-key"

basic-auth:

创建用户:

curl -i -X POST http://localhost:8001/consumers --data username=user2

启用basic-auth的插件:注意不能直接全局开启,需要在services上或者 routes上开启。

curl -i -X POST http://localhost:8001/services/myTomcat/plugins --data name=basic-auth --data "config.hide_credentials=true"

给用户创建凭证

curl -X POST http://localhost:8001/consumers/user2/basic-auth --data "username=user2" --data "password=123456"

请求的时候,带上 凭证,前提需要做base64的转换。

"user2:123456" 转换成 base64:dXNlcjI6MTIzNDU2

不带凭证:
[root@localhost etc]# curl http://localhost:8000/tomcat82
{
  "message":"Unauthorized"
}[root@localhost etc]#

正确的凭证:
curl http://localhost:8000/tomcat82 --header "Authorization: Basic dXNlcjI6MTIzNDU2"
tomcat-8082,82,82
错误的凭证:
[root@localhost etc]# curl http://localhost:8000/tomcat82 --header "Authorization: Basic dXNlcjI6MTIzNDU21"
{
  "message":"Invalid authentication credentials"
}[root@localhost etc]#

jwt:

删除插件:(注意:最后是 插件的ID,不是名称)

[root@localhost etc]# curl -X DELETE http://localhost:8001/services/myTomcat/plugins/2fe25deb-22a8-484a-aa1a-22bbd778e339
[root@localhost etc]#

删除用户:

[root@localhost etc]# curl -X DELETE http://localhost:8001/consumers/userJwt
  • 启用认证插件。

    [root@localhost etc]# curl -X POST http://localhost:8001/services/myTomcat/plugins --data name=jwt
    {"id":"d4c3714a-114b-4f5e-b8ac-ebcd5c44f531","created_at":1670138890,"service":{"id":"02c6b845-a25b-46d9-9fd0-704feeab3a63"},"route":null,"consumer":null,"tags":null,"enabled":true,"protocols":["grpc","grpcs","http","https"],"name":"jwt","config":{"cookie_names":[],"header_names":["authorization"],"key_claim_name":"iss","claims_to_verify":null,"maximum_expiration":0,"run_on_preflight":true,"anonymous":null,"uri_param_names":["jwt"],"secret_is_base64":false}}[root@localhost etc]#
    
  • 创建用户。

    [root@localhost etc]# curl -X POST http://localhost:8001/consumers --data username=useJwt
    {"custom_id":null,"tags":null,"id":"6d52c09c-185b-432f-bc61-f8acd7cb2d98","created_at":1670138991,"username":"useJwt"}[root@localhost etc]# 
    [root@localhost etc]#
    
  • 给用户分配认证信息(扩展:账号密码 等)。

    [root@localhost etc]# curl -X POST http://localhost:8001/consumers/useJwt/jwt
    {"id":"7026a984-454e-4f19-a9d3-25ecd2616168","algorithm":"HS256","consumer":{"id":"6d52c09c-185b-432f-bc61-f8acd7cb2d98"},"tags":null,"secret":"82shAj6BMPHoIcHgUbzQnc0tp6dp9bQh","created_at":1670139121,"rsa_public_key":null,"key":"BvWi05tgEijty9ItznMZ696XitLvgG4U"}[root@localhost etc]#
    
  • 请求时,带上认证信息。

    生成认证信息:网址:https://jwt.io/#debugger-io

生成的token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJCdldpMDV0Z0VpanR5OUl0em5NWjY5NlhpdEx2Z0c0VSJ9.le5-_RtQq95RigII1nUf-fbL9wsCyxSc1R8FqV21Ju4

请求:

[root@localhost etc]# curl -X GET http://localhost:8000/tomcat82 -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJCdldpMDV0Z0VpanR5OUl0em5NWjY5NlhpdEx2Z0c0VSJ9.le5-_RtQq95RigII1nUf-fbL9wsCyxSc1R8FqV21Ju4'
tomcat-8082,82,82
[root@localhost etc]#

jwt组成:

HEADER:base64(json ). base64(payload). 下面的代码块。

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  
82shAj6BMPHoIcHgUbzQnc0tp6dp9bQh

)
相关推荐
MavenTalk13 天前
微服务网关SpringCloudGateway、Kong比较
spring boot·网关·spring cloud·微服务·架构·kong
Hello.Reader23 天前
Kong API Gateway 深度解析与实战指南
gateway·kong
风霜不见闲沉月2 个月前
kong网关的使用
junit·kong
还是转转2 个月前
Kong Gateway 指南
gateway·kong
三朝看客3 个月前
BClinux docker安装kong和konga
docker·容器·kong
爱技术的小伙子4 个月前
【API网关】 使用Kong、Zuul等工具实现API网关
kong
博客威6 个月前
kong网关部署
kong·konga
明明在学JAVA7 个月前
Kong网关的负载均衡
python·负载均衡·kong
Wang's Blog7 个月前
Go微服务: 基于Docker搭建Kong网关环境
docker·微服务·golang·kong