Kong网关身份认证

认证的步骤：

1. 启用认证插件。
2. 创建用户。
3. 给用户分配认证信息（扩展：账号密码 等）。
4. 请求时，带上认证信息。

key-auth:

创建用户：

[root@localhost etc]# curl -i -X POST http://localhost:8001/consumers --data username=user1
HTTP/1.1 201 Created
Date: Fri, 02 Dec 2022 08:18:01 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Content-Length: 117
X-Kong-Admin-Latency: 24
Server: kong/3.0.1
 
{"custom_id":null,"tags":null,"id":"e04b610e-4bde-4eaf-88d7-ae8a874e668e","created_at":1669969081,"username":"user1"}[root@localhost etc]#

给user1 设置需要校验的key值。
  193  curl -i -X POST http://localhost:8001/consumers/user1/key-auth --data key=top-secret-key
 
校验key值的参数：apikey。（启用插件）
  194  curl -i -X POST http://localhost:8001/plugins --data name=key-auth --data "config.key_names=apikey"
 
不带key
  195  curl -i http://localhost:8000/tomcat82
带错误的key
  196  curl -i http://localhost:8000/tomcat82 -H "apikey:asdasd"
带正确的key
  197  curl -i http://localhost:8000/tomcat82 -H "apikey:top-secret-key"

basic-auth:

创建用户：

curl -i -X POST http://localhost:8001/consumers --data username=user2

启用basic-auth的插件：注意不能直接全局开启，需要在services上或者 routes上开启。

curl -i -X POST http://localhost:8001/services/myTomcat/plugins --data name=basic-auth --data "config.hide_credentials=true"

给用户创建凭证

curl -X POST http://localhost:8001/consumers/user2/basic-auth --data "username=user2" --data "password=123456"

请求的时候，带上 凭证，前提需要做base64的转换。

"user2:123456" 转换成 base64：dXNlcjI6MTIzNDU2

不带凭证：
[root@localhost etc]# curl http://localhost:8000/tomcat82
{
  "message":"Unauthorized"
}[root@localhost etc]#

正确的凭证：
curl http://localhost:8000/tomcat82 --header "Authorization: Basic dXNlcjI6MTIzNDU2"
tomcat-8082,82,82
错误的凭证:
[root@localhost etc]# curl http://localhost:8000/tomcat82 --header "Authorization: Basic dXNlcjI6MTIzNDU21"
{
  "message":"Invalid authentication credentials"
}[root@localhost etc]#

jwt：

删除插件：（注意：最后是 插件的ID，不是名称）

[root@localhost etc]# curl -X DELETE http://localhost:8001/services/myTomcat/plugins/2fe25deb-22a8-484a-aa1a-22bbd778e339
[root@localhost etc]#

删除用户：

[root@localhost etc]# curl -X DELETE http://localhost:8001/consumers/userJwt

• 启用认证插件。

  [root@localhost etc]# curl -X POST http://localhost:8001/services/myTomcat/plugins --data name=jwt
  {"id":"d4c3714a-114b-4f5e-b8ac-ebcd5c44f531","created_at":1670138890,"service":{"id":"02c6b845-a25b-46d9-9fd0-704feeab3a63"},"route":null,"consumer":null,"tags":null,"enabled":true,"protocols":["grpc","grpcs","http","https"],"name":"jwt","config":{"cookie_names":[],"header_names":["authorization"],"key_claim_name":"iss","claims_to_verify":null,"maximum_expiration":0,"run_on_preflight":true,"anonymous":null,"uri_param_names":["jwt"],"secret_is_base64":false}}[root@localhost etc]#
  

• 创建用户。

  [root@localhost etc]# curl -X POST http://localhost:8001/consumers --data username=useJwt
  {"custom_id":null,"tags":null,"id":"6d52c09c-185b-432f-bc61-f8acd7cb2d98","created_at":1670138991,"username":"useJwt"}[root@localhost etc]# 
  [root@localhost etc]#
  

• 给用户分配认证信息（扩展：账号密码 等）。

  [root@localhost etc]# curl -X POST http://localhost:8001/consumers/useJwt/jwt
  {"id":"7026a984-454e-4f19-a9d3-25ecd2616168","algorithm":"HS256","consumer":{"id":"6d52c09c-185b-432f-bc61-f8acd7cb2d98"},"tags":null,"secret":"82shAj6BMPHoIcHgUbzQnc0tp6dp9bQh","created_at":1670139121,"rsa_public_key":null,"key":"BvWi05tgEijty9ItznMZ696XitLvgG4U"}[root@localhost etc]#
  

• 请求时，带上认证信息。

  生成认证信息：网址：https://jwt.io/#debugger-io

生成的token：

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJCdldpMDV0Z0VpanR5OUl0em5NWjY5NlhpdEx2Z0c0VSJ9.le5-_RtQq95RigII1nUf-fbL9wsCyxSc1R8FqV21Ju4

请求：

[root@localhost etc]# curl -X GET http://localhost:8000/tomcat82 -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJCdldpMDV0Z0VpanR5OUl0em5NWjY5NlhpdEx2Z0c0VSJ9.le5-_RtQq95RigII1nUf-fbL9wsCyxSc1R8FqV21Ju4'
tomcat-8082,82,82
[root@localhost etc]#

jwt组成：

HEADER：base64(json ). base64(payload). 下面的代码块。

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  
82shAj6BMPHoIcHgUbzQnc0tp6dp9bQh
 
)