API 管理身份验证策略API Management authentication policies

本主题提供以下 API 管理策略的参考。This topic provides a reference for the following API Management policies. 有关添加和配置策略的信息,请参阅 API 管理中的策略For information on adding and configuring policies, see Policies in API Management.

身份验证策略Authentication policies

使用基本方法进行身份验证Authenticate with Basic

通过 authentication-basic 策略使用基本身份验证方法向后端服务进行身份验证。Use the authentication-basic policy to authenticate with a backend service using Basic authentication. 此策略有效地将 HTTP 授权标头设置为与策略中提供的凭据对应的值。This policy effectively sets the HTTP Authorization header to the value corresponding to the credentials provided in the policy.

策略语句Policy statement

<authentication-basic username="username" password="password" />  

示例Example

<authentication-basic username="testuser" password="testpassword" />  

元素Elements

NameName 说明Description 必须Required
authentication-basicauthentication-basic 根元素。Root element. Yes

属性Attributes

NameName 说明Description 必须Required 默认Default
usernameusername 指定基本凭据的用户名。Specifies the username of the Basic credential. Yes 不适用N/A
passwordpassword 指定基本凭据的密码。Specifies the password of the Basic credential. Yes 不适用N/A

使用情况Usage

此策略可在以下策略范围中使用。This policy can be used in the following policy sections and scopes.

  • 策略节: 入站Policy sections: inbound

  • 策略范围: APIPolicy scopes: API

使用客户端证书进行身份验证Authenticate with client certificate

通过 authentication-certificate 策略使用客户端证书向后端服务进行身份验证。Use the authentication-certificate policy to authenticate with a backend service using client certificate. 需要首先将证书安装到 API 管理,并由其指纹进行标识。The certificate needs to be installed into API Management first and is identified by its thumbprint.

策略语句Policy statement

<authentication-certificate thumbprint="thumbprint" certificate-id="resource name"/>  

示例Examples

在此示例中,客户端证书是由指纹标识的。In this example client certificate is identified by its thumbprint.

<authentication-certificate thumbprint="CA06F56B258B7A0D4F2B05470939478651151984" />  

在此示例中,客户端证书是由资源名称标识的。In this example client certificate is identified by resource name.

<authentication-certificate certificate-id="544fe9ddf3b8f30fb490d90f" />  

元素Elements

名称Name 说明Description 必需Required
authentication-certificateauthentication-certificate 根元素。Root element. Yes

属性Attributes

名称Name 说明Description 必需Required 默认值Default
thumbprintthumbprint 客户端证书的指纹。The thumbprint for the client certificate. 必须提供 thumbprintcertificate-idEither thumbprint or certificate-id must be present. 不适用N/A
certificate-idcertificate-id 证书资源名称。The certificate resource name. 必须提供 thumbprintcertificate-idEither thumbprint or certificate-id must be present. 不适用N/A

使用情况Usage

此策略可在以下策略范围中使用。This policy can be used in the following policy sections and scopes.

  • 策略节: 入站Policy sections: inbound

  • 策略范围: APIPolicy scopes: API

使用托管标识进行身份验证Authenticate with managed identity

使用 authentication-managed-identity 策略通过 API 管理服务的托管标识向后端服务进行身份验证。Use the authentication-managed-identity policy to authenticate with a backend service using the managed identity of the API Management service. 此策略有效地使用托管标识来从 Azure Active Directory 获取用于访问指定资源的访问令牌。This policy effectively uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource.

策略语句Policy statement

<authentication-managed-identity resource="resource" output-token-variable-name="token-variable" ignore-error="true|false"/>  

示例Example

<authentication-managed-identity resource="https://graph.chinacloudapi.cn" output-token-variable-name="test-access-token" ignore-error="true" /> 

元素Elements

NameName 说明Description 必须Required
authentication-managed-identityauthentication-managed-identity 根元素。Root element. Yes

属性Attributes

NameName 说明Description 必须Required 默认Default
resourceresource 字符串。String. Azure Active Directory 中的目标 Web API(受保护的资源)的应用 ID URI。The App ID URI of the target web API (secured resource) in Azure Active Directory. Yes 不适用N/A
output-token-variable-nameoutput-token-variable-name 字符串。String. 上下文变量的名称,它将令牌值接收为对象类型 stringName of the context variable that will receive token value as an object type string. No 不适用N/A
ignore-errorignore-error 布尔值。Boolean. 如果设置为 true,即使未获得访问令牌,策略管道也将继续执行。If set to true, the policy pipeline will continue to execute even if an access token is not obtained. No falsefalse

使用情况Usage

此策略可在以下策略范围中使用。This policy can be used in the following policy sections and scopes.

  • 策略节: 入站Policy sections: inbound

  • 策略范围: 全局、产品、API、操作Policy scopes: global, product, API, operation

后续步骤Next steps

有关如何使用策略的详细信息,请参阅:For more information working with policies, see: