API 网关和应用后端认证

Question

I have application with backend and frontend. We are using JWT token for the authentication and Authorization(A2). Now we are planning to use express-gateway as an API gateway (AG) so that backend can be unload from routing and other protection heavy load and shift that burden to AG. Now since we are using AG shall we remove the A2 logic from backend and whatever request comes to backend (every request will be routed from consumer to backend via AG) we treat it as authenticated user and process the request, no need to verify again. If yes then we will still need JWT token to get the payload to extract the information like email id, role etc. For that should we pass the token from AG to backend. Also backed might have different kind of things on payload than EG. How to tackle that.

Answer 1

To pass authentication information on to a server, you need to use the request-transformer policy to add the information to the request headers going to the server, eg the following fragment adds a header named eg-consumers-firstname:

  - request-transformer:
    - condition:
        name: authenticated
      action:
        headers:
          add:
             jscode: 'req.headers["eg-consumer-firstname"] = consumer.firstname'

The JS variables you can use in jscode sections is not particularly well documented, but you have access to everything in models/users.js.

In general, you can often adjust the gateway.config.yml such that scopes restrict which apiEndpoints (paths) are available to a given user; this is a better way to prevent unauthorized access then doing the processing on the downstream server side, which should do an independent check in case the API gateway has been compromised.