Function Description
OAuth2
plugin implements the capability of issuing OAuth2 Access Tokens based on JWT (JSON Web Tokens), complying with the RFC9068 specification.
Runtime Properties
Plugin execution phase: Authentication Phase
Plugin execution priority: 350
Configuration Fields
Authentication Configuration
Name | Data Type | Requirement | Default Value | Description |
---|---|---|---|---|
consumers | array of object | Required | - | Configures the callers of the service for request authentication |
issuer | string | Optional | Higress-Gateway | Used to fill the issuer in the JWT |
auth_path | string | Optional | /oauth2/token | Specifies the path suffix for issuing Tokens. When configured at the routing level, ensure it matches the corresponding route first. When using API management, create an interface with the same path. |
global_credentials | bool | Optional | true | Allows any route to issue credentials for access under the condition of authentication through the consumer. |
auth_header_name | string | Optional | Authorization | Specifies which request header to retrieve the JWT from |
token_ttl | number | Optional | 7200 | The time duration in seconds for which the token is valid after issuance. |
clock_skew_seconds | number | Optional | 60 | Allowed clock skew when verifying the exp and iat fields of the JWT, in seconds. |
keep_token | bool | Optional | true | Indicates whether to keep the JWT when forwarding to the backend. |
global_auth | array of string | Optional (Instance-level configuration only) | - | Can only be configured at the instance level. If set to true, the global authentication mechanism takes effect; if false, the authentication mechanism only takes effect for configured domains and routes; if not configured, global effect occurs only when there are no domain and route configurations (compatible with legacy user habits). |
The configuration fields for each item in consumers
are as follows:
Name | Data Type | Requirement | Default Value | Description |
---|---|---|---|---|
name | string | Required | - | Configures the name of the consumer. |
client_id | string | Required | - | OAuth2 client id |
client_secret | string | Required | - | OAuth2 client secret |
Note:
- For routes with this configuration enabled, if the path suffix matches
auth_path
, the route will not forward to the original target service but will be used to generate a Token. - If
global_credentials
is disabled, please ensure that the routes enabling this plugin do not precisely match routes. If there is another prefix-matching route, it may lead to unexpected behavior. - For requests authenticated and authorized, the request header will have an
X-Mse-Consumer
field added to identify the caller’s name.
Authorization Configuration (Optional)
Name | Data Type | Requirement | Default Value | Description |
---|---|---|---|---|
allow | array of string | Optional (Non-instance-level configuration) | - | Can only be configured on fine-grained rules such as routes or domains, allowing specified consumers to access requests that meet the matching conditions for fine-grained permission control. |
Note:
- Authentication and authorization configurations cannot coexist in one rule.
Configuration Example
Route Granularity Configuration Authentication
For the two routes route-a
and route-b
, do the following plugin configuration:
At this time, although using the same configuration, the credentials issued under route-a
cannot be used to access route-b
, and vice versa.
If you want the same configuration to share credential access permissions, you can configure as follows:
Global Configuration Authentication, Route Granularity Authorization
The following configuration will enable Jwt Auth for specific routes or domains on the gateway. Note that if a JWT matches multiple jwks
, it will hit the first matching consumer
in the order of configuration.
At the instance level, do the following plugin configuration:
For the routes route-a
and route-b
, do the following plugin configuration:
For the domains *.example.com
and test.com
, do the following plugin configuration:
In this example, route names route-a
and route-b
refer to the route names filled in when creating the gateway route. When these two routes are matched, it will allow access for the caller with name
as consumer1
, and other callers will not be allowed to access.
In this example, the domains *.example.com
and test.com
are used to match request domains. When a matching domain is found, it will allow access for the caller with name
as consumer2
, while other callers will not be allowed to access.
Enable at Gateway Instance Level
The following configuration will enable OAuth2 authentication at the gateway instance level, requiring all requests to be authenticated before access.
Request Example
Using Client Credential Authorization Mode
Get AccessToken
AccessToken Request
Common Error Code Description
HTTP Status Code | Error Message | Explanation |
---|---|---|
401 | Invalid Jwt token | JWT not provided in request header, or JWT format is incorrect, or expired, etc. |
403 | Access Denied | No permission to access the current route. |