AI Gateway supports global authentication and consumer authorization to ensure only authorized requests can access your services. Consumer authentication and authorization lets you control access to individual APIs at the consumer level.
Background information
Global authentication and authorization is designed for business-to-consumer (B2C) scenarios, such as unified logins. Consumer authentication is designed for business-to-business (B2B) scenarios, such as granting API access to partners.
|
Item |
Global authentication and authorization |
Consumer authorization |
|
Use cases |
B2C scenarios, such as unified login authentication. |
B2B scenarios, such as authorizing API access for partners. |
|
Key difference |
Enables both authentication and authorization at the same time. |
Requires separate authorization configuration after authentication is enabled. |
|
Configuration path |
. |
|
|
Authentication configuration (JWT example) |
|
|
|
Authorization configuration |
When creating the configuration, specify the lists of Domain Names and Paths for the blacklist or whitelist.
|
|
Important
When you enable authentication for a consumer, the policy takes effect immediately. If an API has been published but no consumer or authorization rules are configured for it, all requests to that API are denied by default.
Authentication methods
JWT authentication
JWT authentication flow
-
The client sends an authentication request to AI Gateway, typically containing the end user's username and password.
-
The gateway forwards the request directly to the backend service.
-
The backend service validates the credentials. If valid, it generates a standard token by using a private key and returns the token to the gateway.
-
The gateway returns the response containing the token to the client. The client must cache this token locally.
-
The client sends a business request to AI Gateway and includes the cached token.
-
The gateway validates the token in the request by using the configured public key. If the token is valid, the gateway passes the request to the backend service.
-
The backend service processes the request and sends a response.
-
The gateway forwards the business response to the client.
The following sections describe how to generate a token, send client requests, and validate tokens on the gateway.
Generate a token
The following Java example shows how to generate a token. You can use equivalent tools in other programming languages to generate a key pair.
-
Create a Maven project and add the following dependency:
<dependency> <groupId>org.bitbucket.b_c</groupId> <artifactId>jose4j</artifactId> <version>0.7.0</version> </dependency> -
Generate a token by using either a symmetric key or an asymmetric key. Choose the method that fits your requirements:
Symmetric key
Code example:
package org.example; import java.io.UnsupportedEncodingException; import java.security.PrivateKey; import org.jose4j.base64url.Base64; import org.jose4j.json.JsonUtil; import org.jose4j.jwk.OctJwkGenerator; import org.jose4j.jwk.OctetSequenceJsonWebKey; import org.jose4j.jws.AlgorithmIdentifiers; import org.jose4j.jws.JsonWebSignature; import org.jose4j.jwt.JwtClaims; import org.jose4j.jwt.NumericDate; import org.jose4j.keys.HmacKey; import org.jose4j.lang.JoseException; import sun.lwawt.macosx.CSystemTray; public class Main { public static void main(String[] args) throws JoseException, UnsupportedEncodingException { // Use the preceding example. String privateKeyJson = "{\n" + " \"k\": \"VoBG-oyqVoyCr9G56ozmq8n_rlDDyYMQOd_DO4GOkEY\",\n" + " \"kty\": \"oct\",\n" + " \"alg\": \"HS256\",\n" + "}"; JwtClaims claims = new JwtClaims(); claims.setGeneratedJwtId(); claims.setIssuedAtToNow(); // Set an expiration time that is less than 7 days. NumericDate date = NumericDate.now(); date.addSeconds(120*60); claims.setExpirationTime(date); claims.setNotBeforeMinutesInThePast(1); // Add custom claims. All values must be of the String type. // Set the consumer identifier. claims.setClaim("uid", "11215ac069234abcb8944232b79ae711"); JsonWebSignature jws = new JsonWebSignature(); // Set the encryption algorithm. jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.HMAC_SHA256); jws.setKey(new HmacKey(Base64.decode(JsonUtil.parseJson(privateKeyJson).get("k").toString()))); jws.setPayload(claims.toJson()); String jwtResult = jws.getCompactSerialization(); System.out.println("Generate Json Web token , result is \n " + jwtResult); } }The following list describes the key code settings:
-
privateKeyJson: The JWKS used when creating the consumer. You can record the JWKS during consumer creation, or retrieve it from the consumer's basic configuration page afterward. -
Set the consumer identifier:
claims.setClaim("uid", "11215ac069234abcb8944232b79ae711"). The console generates this identifier by default when the consumer is created, but you can modify it. You can also retrieve the consumer identifier from the consumer's basic configuration page afterward. -
Set the encryption algorithm:
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.HMAC_SHA256). The encryption algorithm must match the one specified in the JWKS.NoteThe supported encryption algorithms are ES256, ES384, ES512, RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512, and EdDSA.
When using symmetric encryption, you must decode the "k" value.
jws.setKey(new HmacKey(Base64.decode(JsonUtil.parseJson(privateKeyJson).get("k").toString())));
-
Set an expiration time. The expiration time must be less than 7 days. For security, generate a new token after the current one expires.
... NumericDate date = NumericDate.now(); date.addSeconds(120*60); claims.setExpirationTime(date); claims.setNotBeforeMinutesInThePast(1); ... -
You can add custom claims to the PAYLOAD of the JWKS based on your business requirements.
Asymmetric key
Code example:
package org.example; import java.security.PrivateKey; import org.jose4j.json.JsonUtil; import org.jose4j.jwk.RsaJsonWebKey; import org.jose4j.jws.AlgorithmIdentifiers; import org.jose4j.jws.JsonWebSignature; import org.jose4j.jwt.JwtClaims; import org.jose4j.jwt.NumericDate; import org.jose4j.lang.JoseException; public class Main { public static void main(String[] args) throws JoseException { // Example of a private key in JWK format. String privateKeyJson = "{\n" + " \"kty\": \"RSA\",\n" + " \"n\": \"0vx7agoebGcQSuuPiLJXZptN9nndrQmbSEslsARk...\",\n" + " \"e\": \"AQAB\",\n" + " \"d\": \"X4cTteJY_gn4FYPsr85_N_dfjA29V...\"\n" + "}"; JwtClaims claims = new JwtClaims(); claims.setGeneratedJwtId(); claims.setIssuedAtToNow(); NumericDate date = NumericDate.now(); date.addSeconds(120*60); claims.setExpirationTime(date); claims.setNotBeforeMinutesInThePast(1); claims.setClaim("uid", "11215ac069234abcb8944232b79ae711"); JsonWebSignature jws = new JsonWebSignature(); jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256); PrivateKey privateKey = new RsaJsonWebKey(JsonUtil.parseJson(privateKeyJson)).getPrivateKey(); jws.setKey(privateKey); jws.setPayload(claims.toJson()); String jwtResult = jws.getCompactSerialization(); System.out.println("Generated JSON Web Token result: \n" + jwtResult); } }The following list describes the key code settings:
-
Set the consumer identifier and expiration time, similar to the symmetric key example. The
privateKeyJsonmust contain your asymmetric private key in JWK format.Set the encryption algorithm, such as
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256). This encryption algorithm must match the one in the JWKS.For an asymmetric encryption algorithm, you must use its private key to sign the token.
... jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256); PrivateKey privateKey = new RsaJsonWebKey(JsonUtil.parseJson(privateKeyJson)).getPrivateKey(); jws.setKey(privateKey); ... -
You can add custom claims to the
PAYLOADof the JWKS based on your business requirements.
-
Client requests
AI Gateway supports passing the token in a request header. You can customize the header name and the token prefix. During validation, the key and prefix must match the consumer authentication configuration.
-
If the request does not contain a JWT, a 401 status code is returned.
curl http://xxx.hello.com/test -
If the request contains an invalid JWT, a 401 status code is returned.
curl http://xxx.hello.com/test -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxODY1NjczODE5fQ.-vBSV0bKeDwQcuS6eeSZN9dLTUnSnZVk8eVCXdooCQ1' -
If the request contains a valid JWT but the consumer identified by the token is not authorized to access the API, a 403 status code is returned.
# consumer1 is not authorized for the API at the specified path curl 'http://xxx.example.com/test' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxODY1NjczODE5fQ.-vBSV0bKeDwQcuS6eeSZN9dLTUnSnZVk8eVCXdooCQ4'
Server-side token validation
The server validates the token in the following steps:
-
When the server receives a request, it first checks for a token. If no token is found, the request is rejected and a 401 status code is returned.
-
If a token is present, the gateway uses the corresponding key from the configured JWKS to verify that the token is valid and has not expired. If the token is invalid or expired, the request is rejected and a 401 status code is returned.
-
If the token is valid, the server then checks whether the consumer identified by the token is authorized to access the requested API.
Common error codes
|
HTTP status code |
Error message |
Description |
|
401 |
JWT missing |
The JWT is missing from the request header. |
|
401 |
JWT expired |
The JWT has expired. |
|
401 |
JWT verification fails |
JWT payload validation failed. For example, the |
|
403 |
Access Denied |
The consumer is not authorized to access this API. |
API key authentication
-
If the consumer authentication and authorization policy is not enabled for the LLM API, it can be accessed directly.
-
If the consumer authentication and authorization policy is enabled for the LLM API but no authorization is configured, a 401 error is returned.
The debugging process is similar to making a live call. The following example uses an LLM API.
The API key can be sourced from three locations:
-
Default source: Sent in the
Authorizationheader with aBearerprefix. -
Custom header: Specify the header parameter name.
-
Custom query parameter: Specify the query parameter name.
Default credential source
When debugging an LLM API, set the API key in the HTTP request header on the debugging page. Follow these steps:
-
In the
Authorizationfield, useBeareras the prefix. -
Ensure there is a single space between
Bearerand the API key.
Custom header
You can define custom HTTP request headers to pass specific information beyond the standard headers.
Custom query parameters
You can pass extra information by adding custom query parameters to the request URL.
Related error codes
|
HTTP status code |
Error message |
Description |
|
401 |
Request denied by Key Auth check. Multiple API keys found in request. |
The request contains multiple API keys. |
|
401 |
Request denied by Key Auth check. No API key found in request. |
The request does not contain an API key. |
|
401 |
Request denied by Key Auth check. Invalid API key. |
The provided API key is invalid. |
|
403 |
Request denied by Key Auth check. Unauthorized consumer. |
The consumer that initiated the request is not authorized. |
Related documentation
For information about how to authorize and manage your APIs, see authorization management.