OAuth2.0

API Gateway

Release Notes and Announcements

Release Notes

Announcements

[Important] API Gateway Product Sales Discontinuation Announcement

[March 1, 2024] Security Management Notice for the Use of Default Domain Name in API Gateway

[August 15, 2022] Billing of Public Network Outbound Traffic from API Gateway to Backend Services

Product Introduction

Regions and Availability Zones

Purchase Guide (Discontinued)

Billing Overview

Instance Specifications

Shared Instance Billing

Dedicated Instance Billing

Billing Rule

Refund

Resource Pack Billing

Billing Rule

Refund

Payment Overdue

Getting Started

Step 1. Get the Access Permission

Step 2. Create a Service

Step 3. Create an API with Mock as the Backend Type

Step 4. Publish the Service

Step 5. Create a Plugin and Bind It to the API

Step 6. Debug the API

Operation Guide

Instance Management

Instance Parameter Configuration

Service Management

Binding Service to VPC

Migrating Service from Shared Instance to Dedicated Instance

Creating API

API Creation Overview

Creating APIs Connecting to the Public URL/IP Backend

Creating APIs Connecting to the VPC Resource Backend

Creating APIs Connecting to the SCF Backend

Creating API for Interconnecting Backend with COS

Creating APIs Connecting to the Mock Backend

Creating APIs Connecting to the TSF Backend

Importing APIs

API Management

Debugging General APIs

Debugging Microservice APIs

Compressing Responses

Base64 Encoding

Calling API

Calling Key Pair Authentication API

Authentication-Free API

Release and Access

Overview

Service Release and Deactivation

Service Access

Environment Version Switch

Custom Domain Name and Certificate

Configuring Custom Domain Name

Usage Plan

Overview

Working with a Usage Plan

Traffic Control

Backend Upstream

VPC Upstream

Verification and Security

Overview

Application-Enabled Authentication Method

Authentication-Free Mode

OAuth2.0

CAM Policy

Log Statistics

View Log Analysis

Exporting Service Logs

Viewing Operation Logs

Shipping to CLS

Access Monitoring

Viewing Monitoring Charts

Viewing API Statistics

Monitoring Metrics

API Doc Generator

Application Management

Permission Management

Precautions

Private IP Ranges and Public VIPs of API Gateway Regions

Plugin Usage

Overview

IP Access Control

Basic Traffic Throttling

Parameter Traffic Throttling

Practical Tutorial

Making Serverless Service Available quickly through API Gateway

Integrating WAF to API Gateway for Security Protection

Accessing Resources in IDC via API Gateway Dedicated Instance

Quick Access to TEM Application via API Gateway

Integrating ECDN to API Gateway for Acceleration

API Gateway Providing the Access Capability for TKE

Migrating from Region A to Region B

Development Guide

Serverless Framework

Overview

Installing Serverless Framework

Creating and Deploying API Gateway Service

Importing APIs

Defining APIs

Sample for Importing APIs

Generating Application Authentication Signature

Quick Service Deletion Tool

Uploading Files

Serverless Multi-File Upload Processing

Structures Passed by API Gateway to Backend

API Documentation

Making API Requests

Application APIs

DescribeApiAppBindApisStatus

DescribeApiAppsStatus

DescribeApiBindApiAppsStatus

DescribeApiForApiApp

DescribeServiceForApiApp

ModifyApiApp

UnbindApiApp

UpdateApiAppKey

Other APIs

DescribeInstancesNetworkConfig

CreateUpstream

DeleteUpstream

DescribeUpstreamBindApis

DescribeUpstreams

ModifyUpstream

DescribeExclusiveInstanceRegions

Plugin APIs

CreatePlugin

DeletePlugin

DescribeAllPluginApis

Usage Plan APIs

DemoteServiceUsagePlan

DescribeUsagePlan

DescribeUsagePlanEnvironments

DescribeUsagePlanSecretIds

DescribeUsagePlansStatus

IP Policy APIs

DescribeIPStrategyApisStatus

DescribeIPStrategysStatus

ModifyIPStrategy

UnBindIPStrategy

Custom Domain Name APIs

BindSubDomain

DeleteServiceSubDomainMapping

DescribeServiceSubDomainMappings

DescribeServiceSubDomains

API Document APIs

OpenAPI APIs

Key APIs

DescribeApiKeysStatus

Log APIs

Service APIs

DescribeServiceEnvironmentList

DescribeServiceEnvironmentReleaseHistory

DescribeServiceReleaseVersion

DescribeServiceUsagePlan

DescribeServicesStatus

Throttling Policy APIs

DescribeApiEnvironmentStrategy

DescribeServiceEnvironmentStrategy

ModifyApiEnvironmentStrategy

ModifyServiceEnvironmentStrategy

Documentation and SDK APIs

GenerateApiDocument

Data Types

Error Codes

Legacy Features

Key Pair Authentication

Key Management

Key Pair Authentication

Java (Key Pair Authentication)

Go (Key Pair Authentication)

Python (Key Pair Authentication)

JavaScript (Key Pair Authentication)

PHP (Key Pair Authentication)

C++ (Key Pair Authentication)

Erlang (Key Pair Authentication)

Signature generation instructions

FAQs

Service Level Agreement

Glossary

DocumentationAPI GatewayOperation GuideVerification and SecurityOAuth2.0

OAuth2.0

Download PDF

Last updated: 2023-12-22 09:54:29

OAuth2.0

Last updated: 2023-12-22 09:54:29

Download PDF

Overview
This topic describes how to configure OAuth 2.0 authorization access for APIs in the API Gateway console to meet your personalized security setting needs.
OAuth 2.0 Overview
OAuth 2.0 is an open authorization standard that enables you to allow third-party applications to access your specific private resources in a service without providing the account and password to the applications. OAuth 2.0 is an authorization protocol rather than an authentication protocol.
OAuth 2.0 roles
OAuth 2.0 has the following 4 roles: 
Role
Description
Resource owner
Owner of the resource
Resource server
Server where the resource is stored
Client
Third-party application client, which can be any third-party application that can consume the resource server
Authorization server
Intermediate layer that manages the above 3 roles
OAuth 2.0 authorization process
﻿
﻿
﻿
(A) The client initiates a request to the resource owner for authorization.
(B) The resource owner approves the authorization.
(C) The client applies to the authorization server for an authorization token after getting the resource owner's authorization.
(D) The authorization server grants the authorization token after authenticating the client.
(E) The client requests the resource server to send the user information after getting the authorization token.
(F) The resource server sends the user information to the client after verifying that the token is correct.
Prerequisites
An authorization server for distributing tokens is available. (You need to build an authorization server. The API Gateway provides the Python3 Demo and the Golang Demo for your reference.)
You have created an API Gateway service (for more information, see Creating Services).
Directions
Step 1: build an authorization server (Python3 Demo is used as an example).
1. Download the Python3 Demo from the official repository of the API Gateway.
2. Generate the RSA public and private keys and run produce_key.py in Python 3 to generate 3 files:
public_pem: public key in PEM format.
priv_pem: private key in PEM format.
pulic: public key in JSON format. The file content is used to configure the authorization API of API Gateway and is in the following format:
{"e":"AQAB","kty":"RSA","n":"43nSuC6lmGLogEPgFVwaaxAmPDzmZcocRB4Jed_dHc-sV7rcAcNB0iHyuGfNkfOAE2uhHVjdXuO6DBYGz4pnTwRZ5_wFrW0DlrlJQAXSvg6B2N1uda_aqySNw3rrvdh38rVG7HxFmyPbLXcpJtyfkiRNyZ1WhSpH0NciIRrFbW2mKRtOZsBGfBgmNqPGcGrMA71cuqNAQ9RMKmAF37iGXkx0tWMBQ_PL2aviHhtsiPbT3zIO7qUG3cleBHnS61kid3K8F38z9-5Hj-1zdTIP8iS4rAt4FmhvKvtOocRPYGq0W_dLLxmi4DYgIV2GJE93WyZ1EUvgRGhpcHvyT65z4w"}
3. Start the service. After installing the bottle library by running pip3 install bottle, run server.py in Python 3 to generate a token. Then, you can simply check whether the token is successfully generated.
curl localhost:8080/token 
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTIyNzgwODksImZvbyI6ImJhciIsImlhdCI6MTU5MjI3Nzc4OSwianRpIjoibFY1TS10S2oxMEdtV0pJcHotM01GUSIsIm5iZiI6MTU5MjI3Nzc4OSwid3VwIjo5MH0.aHyZo2jgkNxVRDMtEiRBU4-n0pMfa0gocu92KQBe-nmbFoeI_5EWTJ8XFNnSIuoCAIFvrd9MSUX2DNVTg0woXukjoKOTjZSx4txknaXs1aApdvW74FVddCrMtdLrKh_VlwPOrEaOGesmtfcR3RN8xWnj1oedPW-HKPEqVpIAIIWO8ilCBFF-5yffcnFGIbfYO0t7OeBBviCQnQjWAmQHnteOZm0CBeG22k7rlnjH96qE_kyq7DHQqGmURjlpGxoXRC6E-AiV-3mYrCGnsAosEltuIUtq8VIbTZabSobFDE92C8us4GFtIVJQB2NWgeB3Hxgpz3Dlb4NCCcCkZbryEQ
Step 2: configure a Tencent Cloud API Gateway authorization API.
1. In the created service, create an authorization API. When you are configuring the frontend, select OAuth 2.0 as the authentication type and Authorization API as the OAuth mode.
﻿
﻿
﻿
2. When you are configuring the backend, select your own server address as the authentication server, select Header as the token location, and enter the content in the public file generated by running produce_key.py as the public key. After the API is created, click Complete.
﻿
﻿
﻿
Step 3: configure a Tencent Cloud API Gateway business API.
1. In the authorization API service, create a business API. When you are configuring the frontend, select OAuth 2.0 as the authentication type, Business API as the OAuth mode, and the created authorization API as the associated authorization API.
2. When you are configuring the backend, select mock as the backend type and enter hello world as the returned data.
Step 4: perform verification.
1. Request the authorization API to get the token:
curl http://service-cmrrdq86-1251890925.gz.apigw.tencentcs.com:80/token
Returned result:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTIyNzk3MTAsImZvbyI6ImJhciIsImlhdCI6MTU5MjI3OTQxMCwianRpIjoiZlBGYlFZRkR4REx3d0lXTFl0aHBBQSIsIm5iZiI6MTU5MjI3OTQxMCwid3VwIjo5MH0.0JQquNRVCQ8n9hPV-mJi6Mku_7G3T1jFp68Sk2AYBijpzzBMQ1KOcREyo9G6QOpvdctynGOAPkL3cwqeTzkFhWgGj633pu_MdLjlectEBMGyVQIv6pL8OBMCHMQzTUTpHWJ_NoUkLpRLKGqZFFcXW8q7v4KeCbf8xHUa9OCH5VF2JxYOnFWDVgucSqao06r0Jaq64LDwKIhLw77ujheKpcBjRrf1kqoIpqk2qhb8CzxM36g_DawMadzKmX49dT-k7auNnI2xUtu5CZdXZ3lSmLeicXfGjc66rrH_acqUqipZRKeeQ5F3Ma467jPQaTeOKiCMHwS2_yp-sXNU2GzxOA
Note: 
You can get the token using either of the following methods: 1. send a request to the API Gateway authorization API address to get the token; 2. quickly get the token directly from the authorization server. The first method is used in this document to protect the authorization server.
2. Use the token to request the business API. As you can see, the business API can be requested successfully.
curl http://service-cmrrdq86-1251890925.gz.apigw.tencentcs.com:80/work -H'Authorization:Bearer id_token="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTIyNzk3MTAsImZvbyI6ImJhciIsImlhdCI6MTU5MjI3OTQxMCwianRpIjoiZlBGYlFZRkR4REx3d0lXTFl0aHBBQSIsIm5iZiI6MTU5MjI3OTQxMCwid3VwIjo5MH0.0JQquNRVCQ8n9hPV-mJi6Mku_7G3T1jFp68Sk2AYBijpzzBMQ1KOcREyo9G6QOpvdctynGOAPkL3cwqeTzkFhWgGj633pu_MdLjlectEBMGyVQIv6pL8OBMCHMQzTUTpHWJ_NoUkLpRLKGqZFFcXW8q7v4KeCbf8xHUa9OCH5VF2JxYOnFWDVgucSqao06r0Jaq64LDwKIhLw77ujheKpcBjRrf1kqoIpqk2qhb8CzxM36g_DawMadzKmX49dT-k7auNnI2xUtu5CZdXZ3lSmLeicXfGjc66rrH_acqUqipZRKeeQ5F3Ma467jPQaTeOKiCMHwS2_yp-sXNU2GzxOA"'
Returned result:
hello world
Using the authorization code to get the token
In the sample above, no authorization code is used to get the token. To ensure that only specified users can get the token, the authorization code needs to be obtained from the resource owner according to the authorization process. As can be seen in the server.py file, you can first request the authorization code path to get the code and then register the distributed code to verify its validity when getting the token.

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

Role	Description
Resource owner	Owner of the resource
Resource server	Server where the resource is stored
Client	Third-party application client, which can be any third-party application that can consume the resource server
Authorization server	Intermediate layer that manages the above 3 roles

tencent cloud

New User Offers

Next-Generation CDN：EdgeOne

Elasticsearch Service Special Offers

Free Tier

Tencent Cloud Startup Program

Special Offers

Lighthouse Special Offers

Cloud Object Storage Special Offers

Featured Products

New Products

Education

Tencent Cloud Online Education Solutions

Gaming

Gaming Solution

Game Media Solutions

Financial Services

Financial Services Solution

Audio & Video

Audio/Video Solution

LVB Recording Solution

Interactive Classroom Solution

Interactive Live Streaming Solution

Audio Chat Social Networking Solution

Real Estate

Tencent Cloud LinkBase(Weiling)

E-commerce

E-commerce retail solutions

Compute

Cloud Virtual Machine

Auto Scaling

Batch Compute

CVM Dedicated Host

Database

TencentDB for MySQL

TencentDB for Redis®

TencentDB for CTSDB

TDSQL for MySQL

Data Transfer Service

TencentDB for MongoDB

TencentDB for PostgreSQL

TencentDB for SQL Server

TencentDB for TcaplusDB

Video Service

Cloud Streaming Services

Video on Demand

Media Processing Service

Cloud Application Rendering

Cloud Contact Center

Game Multimedia Engine

Chat

Real-time Communication

Tencent Effect SDK

AI and Machine Learning

Image Creation Large Model

Face Fusion

eKYC

Optical Character Recognition

Video Creation Large Model

Industry Applications

Tencent HealthCare Omics Platform

Container and Middleware

TDMQ for CKafka

Serverless Cloud Function

Tencent Kubernetes Engine

Tencent Kubernetes Engine for Serverless

Networking

Cloud Load Balancer

Virtual Private Cloud

Direct Connect

Cloud Connect Network

NAT Gateway

VPN Connection

Bandwidth Package

Anycast Internet Acceleration

Elastic Network Interface

Flow Logs

Global Application Acceleration Platform

Security

Captcha