Advanced Chapter I - STS Temporary Authentication
Advanced Chapter I: STS temporary authentication
Bce-bos-uploader supports the temporary authorization method of STS (Security Token Service). The server generates a set of temporary AK/SK with specific operation permissions and a certain timeliness. These temporary AK/SK can be exposed to the browser side for direct use. Users only need to set the AK/SK and SessionToken returned by the server to the corresponding bos-ak, bos-sk and uptoken parameters of bce-bos-uploader. The following figure briefly introduces the entire business interaction process. For the introduction of STS, please refer to [Temporary Authorization Access](BOS/API Reference/Access control.md#Temporary authorized access).
The code implementation is divided into two parts: the application server side and the client side. The implementation process is as follows:
- Set up the application server. For example, in a Node.js implementation, the server will provide AK/SK/SessionToken.
- Configure the browser and initialize the bce-bos-uploader parameters using the AK/SK/SessionToken provided by the server.
Nodejs implementation of the application server side
1var http = require('http');
2var url = require('url');
3var util = require('util');
4
5var STS = require('@baiducloud/sdk').STS;
6
7var kCredentials = {
8 ak: 'Your AK'
9 sk: 'Your SK'
10};
11
12function buildStsResponse() {
13 var stsClient = new STS({
14 credentials: kCredentials,
15 region: 'bj'
16 });
17 return stsClient.getSessionToken(60 * 60 * 24, {
18 accessControlList: [{
19 service: 'bce:bos',
20 resource: ['bce-javascript-sdk-demo-test'],
21 region: '*',
22 effect: 'Allow',
23 permission: ['READ', 'WRITE']
24 }]
25 }).then(function (response) {
26 var body = response.body;
27 return {
28 AccessKeyId: body.accessKeyId,
29 SecretAccessKey: body.secretAccessKey,
30 SessionToken: body.sessionToken,
31 Expiration: body.expiration
32 };
33 });
34}
35
36http.createServer(function (req, res) {
37 console.log(req.url);
38
39 var query = url.parse(req.url, true).query;
40
41 var promise = null;
42
43 if (query.sts) {
44 promise = buildStsResponse();
45 }
46
47 promise.then(function (payload) {
48 res.writeHead(200, {
49 'Content-Type': 'text/javascript; charset=utf-8',
50 'Access-Control-Allow-Origin': '*'
51 });
52
53 if (query.callback) {
54 res.end(util.format('%s(%s)', query.callback, JSON.stringify(payload)));
55 }
56 else {
57 res.end(JSON.stringify(payload));
58 }
59 });
60}).listen(1337);
61console.log('Server running at http://0.0.0.0:1337/');On the server side, create a stsClient instance in a similar way to creating a bosClient instance. For the stsClient instance, there is mainly one method, which is getSessionToken. This method accepts two parameters. The first parameter is the validity period of the temporary authorization, in seconds; the second parameter is the specific permission control, see [STS Service Interface](BOS/API Reference/Access control.md#STS service APIs).
This method asynchronously connects to the STS authorization server and returns a promise object. The STS authorization server will provide data similar to the following:
1{
2 body: {
3 "accessKeyId": "d87a16e5ce1d47c1917b38ed03fbb329",
4 "secretAccessKey": "e9b6f59ce06c45cdaaea2296111dab46",
5 "sessionToken": "MjUzZjQzNTY4OTE0NDRkNjg3N2E4YzJhZTc4YmU5ZDh8AAAAABwCAAB/HfHDVV2bu5xUf6rApt2YdSLG6+21UTC62EHvIuiaamtuMQQKNkR9PU2NJGVbuWgBn8Ot0atk0HnWYQGgwgyew24HtbrX3GFiR/cDymCowm0TI6OGq7k8pGuBiCczT8qZcarH7VdZBd1lkpYaXbtP7wQJqiochDXrswrCd+J/I2CeSQT6mJiMmvupUV06R89dWBL/Vcu7JQpdYBk0d5cp2B+gdaHddBobevlBmKQw50/oOykJIuho4Wn7FgOGPMPdod0Pf0s7lW/HgSnPOjZCgRl0pihs197rP3GWpnlJRyfdCY0g0GFG6T0/FsqDbxbi8lWzF1QRTmJzzh2Tax8xoPFKGMbpntp//vGP7oPYK1JoES34TjcdcZnLzIRnVIGaZAzmZMUhPEXE5RVX1w8jPEXMJJHSrFs3lJe13o9Dwg==",
6 "createTime": "2016-02-16T14:01:29Z",
7 "expiration": "2016-02-16T15:41:29Z",
8 "userId": "5e433c4a8fe74765a7ec6fc147e25c80"
9 }
10}The server must deliver the accessKeyId, secretAccessKey, and sessionToken fields to the browser.
Configure the browser-side bce-bos-uploader parameters
For the STS temporary authorization mechanism, you only need to include the accessKeyId, secretAccessKey, and sessionToken parameters mentioned above when initializing any service.
1<!doctype html>
2<html>
3 <head>
4 <meta charset="utf-8" />
5 <title>bce-bos-uploader simple demo</title>
6 <!--[if lt IE 8]><script src="http://websdk.cdn.bcebos.com/bos/json3/lib/json3.min.js"></script><![endif]-->
7 <!--[if lt IE 9]><script src="http://websdk.cdn.bcebos.com/bos/js-polyfills/es5.js"></script><![endif]-->
8 <!--[if lt IE 10]><script src="http://websdk.cdn.bcebos.com/bos/moxie/bin/js/moxie.js"></script><![endif]-->
9 <!-- BOS does not provide jquery.min.js; developers can import online resources or local resources by themselves -->
10 <script src="./node_modules/jquery/dist/jquery.min.js"></script>
11 <!-- Import bce-bos-uploader.bundle.js. It is recommended to import local resources after successful installation via npm -->
12 <script src="./node_modules/@baiducloud/bos-uploader/dist/bce-bos-uploader.bundle.js"></script>
13 </head>
14 <body>
15
16 <input type="file" id="file" >
17 <script>
18 var uploader = new baidubce.bos.Uploader({
19 browse_button: '#file',
20 bos_bucket: '<your bucket>',
21 bos_endpoint: 'http://bj.bcebos.com',
22 bos_ak: '<your ak>',
23 bos_sk: '<your sk>',
24 uptoken: '<your sessionToken>'
25 });
26 </script>
27 </body>
28</html>