# idaas-gateway

Part of **IDAAS**

# IDaaS Gateway Integration Console Guide

## Operations Overview

| Operation | Console Entry | Prerequisites | Description |
|----------|---------------|---------------|-------------|
| Configure OIDC Authentication for MSE Gateway | IDaaS Console > Applications > Add Application > Marketplace > Alibaba Cloud - MSE | - Active IDaaS instance<br>- Access to IDaaS console<br>- VPC with outbound internet access via NAT gateway<br>- Public domain name or local hosts file mapping for MSE gateway | Set up OIDC-based authentication between IDaaS and MSE cloud-native gateway to secure microservices APIs |

## Operation Steps

### Configure OIDC Authentication for MSE Gateway

**Navigation**: IDaaS Console > Applications > Add Application > Marketplace > Alibaba Cloud - MSE

**Prerequisites**:
- An active IDaaS instance
- Access to the IDaaS console
- A VPC with outbound internet access via NAT gateway
- A public domain name or local hosts file mapping for the MSE gateway

1. Log on to the **IDaaS console**
   - Element: **IDaaS console** (link) — top navigation bar

2. Select an IDaaS instance and click **Open Console**
   - Element: **Open Console** (button) — instance list table action column

3. Navigate to **Applications > Add Application > Marketplace**, search for **Alibaba Cloud - MSE**, and click **Add Application**
   - Element: **Alibaba Cloud - MSE** (link) — marketplace search results

4. Confirm the application name and click **Save** to proceed to Single Sign-on configuration
   - Element: **Save** (button) — bottom of the form

5. Switch to the **General tab** to view and copy the **Issuer**, **client_id**, and **client_secret**
   - Element: **General tab** (tab) — application management page
   - Notes: These values are required for MSE gateway configuration

6. Log on to the **MSE console** and navigate to **Cloud-native Gateway**
   - Element: **Cloud-native Gateway** (menu) — left-side navigation pane

7. Click the **gateway name** to open its management page
   - Element: **gateway name** (link) — gateway list

8. Go to **Security > Authentication** and click **Create Authentication**
   - Element: **Create Authentication** (button) — Security section

9. In the authentication form, set **Authentication Type** to **OIDC**
   - Element: **Authentication Type** (dropdown) — form fields
   - Notes: Ensure **Scope** is set to `openid`

10. Fill in the **Issuer**, **Client-ID**, and **Client-Secret** fields using the values copied from IDaaS
    - Element: **Issuer** (text_input), **Client-ID** (text_input), **Client-Secret** (text_input) — form fields

11. Enter a valid **Redirect URL** (e.g., `http://a.example.com/oauth2/callback`) and matching **Cookie-Domain**
    - Element: **Redirect URL** (text_input), **Cookie-Domain** (text_input) — form fields
    - Notes: The Redirect URL must use a domain name, not an IP address. If using a local hosts file, ensure the domain is mapped correctly.

12. In the **Authorization** section, select **Blacklist Mode** and click **Add Rule Condition** to add `/mock` as a protected path
    - Element: **Add Rule Condition** (button) — Authorization section
    - Notes: In Blacklist Mode, only specified paths require authentication

13. Click **Enable** to activate the authentication rule
    - Element: **Enable** (button) — authentication rule panel

14. Navigate to **Route Configuration** in the left-side menu
    - Element: **Route Configuration** (menu) — left-side navigation pane

15. Locate the auto-generated **oauth2-proxy** route (status: Unpublished), click **Edit**, then click **Save and Publish**
    - Element: **Save and Publish** (button) — route edit form
    - Notes: Publishing this route is required for the OIDC flow to function

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Authentication Name | text_input | Yes | — | Enter a custom name for the authentication rule. |
| Authentication Type | dropdown | Yes | OIDC, IDaaS | Select **OIDC** for current IDaaS versions. **IDaaS** is for legacy versions. |
| Issuer | text_input | Yes | — | Copied from the IDaaS application management page. |
| Redirect URL | text_input | Yes | — | Must be a domain-based callback URL (e.g., `http://a.example.com/oauth2/callback`). Must match MSE settings. |
| Client-ID | text_input | Yes | — | Copied from the IDaaS application management page. |
| Client-Secret | text_input | Yes | — | Copied from the IDaaS application management page. |
| Cookie-Domain | text_input | Yes | — | Domain used for session cookies; should match the domain in Redirect URL. |
| Scope | text_input | Yes | — | Set to `openid` to enable basic OpenID Connect functionality. |
| Authorization | radio | Yes | Blacklist Mode, Whitelist Mode | **Blacklist Mode**: only listed paths require auth. **Whitelist Mode**: all paths require auth except listed ones. |

## FAQ

Q: Where do I find the Issuer, Client-ID, and Client-Secret for the MSE gateway?
A: These values are displayed on the **General tab** of your IDaaS application management page after creating the "Alibaba Cloud - MSE" application.

Q: Can I use an IP address for the Redirect URL?
A: No. The Redirect URL must be a domain name (e.g., `http://a.example.com/oauth2/callback`). If testing locally, configure a domain mapping in your `hosts` file.

Q: Why is the oauth2-proxy route in "Unpublished" state after creating authentication?
A: The MSE gateway auto-generates this route but does not publish it automatically. You must manually **Edit** and **Save and Publish** it for the OIDC flow to work.

Q: What happens if I leave the Authorization mode as Whitelist instead of Blacklist?
A: In Whitelist Mode, all paths require authentication by default, and you must explicitly exclude paths. Blacklist Mode (recommended here) only protects paths you specify (e.g., `/mock`).

Q: Do I need special permissions to configure gateway authentication?
A: You need administrative access to both the IDaaS console (to create applications) and the MSE console (to modify gateway security and routes).

## Pricing & Billing

### Billing Model
free

### Free Tier
No explicit free tier mentioned. Usage is tied to IDaaS and MSE service pricing.

### Billing Notes
Authentication is part of IDaaS and MSE services. Actual costs depend on the underlying IDaaS and MSE usage (e.g., number of users, API calls, gateway traffic).