Configure OIDC authentication for identity verification and access control-API Gateway(API Gateway)-阿里云帮助中心

Integrate AI Gateway with your enterprise authentication system using the OpenID Connect (OIDC) protocol to centralize access control, simplify authentication, and enable single sign-on (SSO) across your internal services.

Prerequisites

A unified authentication and authorization service that supports the standard OIDC protocol is available.

Background information

AI Gateway integrates with your existing system through the OIDC protocol, providing centralized authentication and authorization for all connected services without per-service configuration.

OIDC authentication

OpenID Connect (OIDC) is a security protocol that enables third-party applications to obtain user information from an identity provider in a secure and reliable manner. OIDC extends OAuth 2.0 by introducing an ID Token — a self-contained, tamper-proof JSON Web Token (JWT) that carries basic user identity information and can be easily verified by third-party applications.

The OIDC flow involves the following four roles:

client: An application that provides services directly to the end user.
authorization server: An OpenID provider that issues an ID Token for third-party authentication.
business server: A server that provides business-specific services.
end user: The resource owner.

The workflow is as follows:

The client sends an authentication request to the authorization server.
The end user signs in with a username and password on the authentication page and grants authorization.
The authorization server validates the authentication request and returns an authorization code to the client.
The client sends a callback request that contains the authorization code to the business server.
The business server requests a token from the authorization server. The request contains the authorization code, Client ID, and Client Secret.
The authorization server validates the request and returns an ID Token.
The business server returns the ID Token to the client.
The client sends a business request that contains the ID Token.
The business server validates the ID Token and returns a business response.

AI Gateway OIDC authentication flow

In the standard OIDC flow, each business server (for example, a user service or an order service) must implement its own authentication and authorization logic and integrate with the authorization server individually. AI Gateway centralizes authentication and authorization at the gateway level, removing this per-service overhead.

The workflow is as follows:

The client sends an authentication request to AI Gateway.
AI Gateway forwards the authentication request to the authorization server.
After validating the request, the server returns an authorization code to AI Gateway.
AI Gateway returns the authorization code to the client.
The client sends a callback request that contains the authorization code to AI Gateway.
AI Gateway requests a token from the authorization server. The request contains the authorization code, Client ID, and Client Secret.
The authorization server validates the request and returns an ID Token.
AI Gateway returns the ID Token to the client.
The client sends a business request containing the ID Token to AI Gateway, which then verifies the token.
After validating the token, AI Gateway forwards the request to the business server.
The business server processes the request and returns a response.
AI Gateway returns the business response to the client.

AI Gateway also proxies authentication requests to the authorization server, making the authentication process transparent to each business server. If a request is invalid, AI Gateway redirects the user to the login page.

Create an authentication rule

Log on to the AI Gateway console.
In the navigation pane on the left, choose Instance. In the top menu bar, select a region.
On the Instance page, click the target instance ID.
In the left-side navigation pane, choose Security Management > Global Authentication.

In the upper-left corner of the page, click Create Authentication. Configure the parameters and then click OK.

The following table describes the OIDC authentication parameters.

Parameter	Description
Enable	Enables or disables authentication.
Authentication Name	The name of the authentication rule.
Authentication Type	Select OIDC.
Domain Name	The domain name that this authentication rule applies to.
Issuer	The issuer URL of your authorization server.
Redirect URL	The URL to which the user is redirected after successful authorization. This URL must match the redirect URL configured in your OIDC provider. Important The URL must be in the `http(s)://yourdomain/path` format, and the path must be `/oauth2/callback`.
Client ID	The application ID obtained when you registered your application with the OIDC provider.
Client Secret	The application secret obtained when you registered your application with the OIDC provider.
Cookie Domain	The domain for the cookie. After authentication, the cookie is sent to this domain to maintain the login session. For example, `a.example.com` limits the cookie to that specific domain, while `.example.com` sends the cookie to all subdomains of example.com.
Cookie Secret	A secret key used to digitally sign the cookie and prevent tampering.
Scope	The access scopes requested by the application. Separate multiple values with semicolons (;).
Authorization	The authorization method. Select a Whitelist Mode or a Blacklist Mode. Whitelist: Requests for the hosts and paths in this list are exempt from authentication. All other requests require authentication. Blacklist: Requests for the hosts and paths in this list require authentication. All other requests can bypass authentication. Click Rule Condition to set the request domain name and path. Domain Name: The requested domain name, or host. Path: The requested API path.