Skip to content
2023 API Summit Hackathon: Experiment with AI for APIs (August 28 - September 27) Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
      Docs Contribution Guidelines
      Want to help out, or found an issue in the docs and want to let us know?
  • API Specs
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Ingress Controller
2.7.x
  • Home icon
  • Kong Ingress Controller
  • Guides
  • Allowing Multiple Authentication Methods
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 2.11.x (latest)
  • 2.10.x
  • 2.9.x
  • 2.8.x
  • 2.7.x
  • 2.6.x
  • 2.5.x
  • 2.4.x
  • 2.3.x
  • 2.2.x
  • 2.1.x
  • 2.0.x
  • 1.3.x
  • 1.2.x
  • 1.1.x
  • 1.0.x
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Prerequisites
    • Install Kong
    • Test connectivity to Kong
  • Create a Kubernetes service
  • Expose the Kubernetes service using Ingress
  • Create Consumers and secrets
  • Secure the Ingress
  • Anonymous Consumers
  • Test the configuration
You are browsing documentation for an outdated version. See the latest documentation here.

Allowing Multiple Authentication Methods

Learn to configure multiple authentication options for consumers using the Kong Ingress Controller. The default behavior for Kong authentication plugins is to require credentials for all requests even if a request has been authenticated through another plugin. Configure an anonymous consumer on your authentication plugins to set clients authentication options.

Before you begin ensure that you have Installed Kong Ingress Controller in your Kubernetes cluster and are able to connect to Kong.

Prerequisites

Install Kong

You can install Kong in your Kubernetes cluster using Helm.

  1. Add the Kong Helm charts:

     helm repo add kong https://charts.konghq.com
     helm repo update
    
  2. Install Kong Ingress Controller and Kong Gateway with Helm:

     helm install kong kong/ingress -n kong --create-namespace
    

Test connectivity to Kong

Kubernetes exposes the proxy through a Kubernetes service. Run the following commands to store the load balancer IP address in a variable named PROXY_IP:

  1. Populate $PROXY_IP for future commands:

     export PROXY_IP=$(kubectl get -o jsonpath="{.status.loadBalancer.ingress[0].ip}" service -n kong kong-gateway-proxy)
        
     echo "Proxy IP: $PROXY_IP"
    
  2. Ensure that you can call the proxy IP:

     curl -i $PROXY_IP
    

    The results should look like this:

     HTTP/1.1 404 Not Found
     Content-Type: application/json; charset=utf-8
     Connection: keep-alive
     Content-Length: 48
     X-Kong-Response-Latency: 0
     Server: kong/3.0.0
      
     {"message":"no Route matched with those values"}
    

    If you are not able to connect to Kong, read the deployment guide.

Create a Kubernetes service

Create a Kubernetes service setup an httpbin service in the cluster and proxy it.

$ kubectl apply -f https://raw.githubusercontent.com/Kong/kubernetes-ingress-controller/v2.11.0/deploy/manifests/httpbin.yaml

The results should look like this:

service/httpbin created
deployment.apps/httpbin created

Expose the Kubernetes service using Ingress

  1. Expose the service outside the Kubernetes cluster by defining Ingress rules.

     echo '
     apiVersion: networking.k8s.io/v1
     kind: Ingress
     metadata:
       name: demo
       annotations:
         konghq.com/strip-path: "true"
     spec:
       ingressClassName: kong
       rules:
       - http:
           paths:
           - path: /test
             pathType: Prefix
             backend:
               service:
                 name: httpbin
                 port:
                   number: 80
     ' | kubectl apply -f -
    

    The results should look like this:

     ingress.networking.k8s.io/demo created
    

    We can now call $PROXY_IP/test/request/200 to reach our deployed service.

Create Consumers and secrets

Create two consumers that use different authentication methods:

  • consumer-1 uses basic-auth
  • consumer-2 uses key-auth
  1. Create a secret to add basic-auth credential for consumer-1.

     kubectl create secret generic consumer-1-basic-auth  \
       --from-literal=kongCredType=basic-auth  \
       --from-literal=username=consumer-1 \
       --from-literal=password=consumer-1-password
    

    The results should look like this:

     secret/consumer-1-basic-auth created
    
  2. Create a consumer named consumer-1.

    echo "apiVersion: configuration.konghq.com/v1
    kind: KongConsumer
    metadata:
     name: consumer-1
     annotations:
       kubernetes.io/ingress.class: kong
    username: consumer-1
    credentials:
    - consumer-1-basic-auth
    " | kubectl apply -f -
    

    The results should look like this:

     kongconsumer.configuration.konghq.com/consumer-1 created
    
  3. Create a secret to add key-auth credential for consumer-2.

     kubectl create secret generic consumer-2-key-auth \
       --from-literal=kongCredType=key-auth  \
       --from-literal=key=consumer-2-password
    

    The results should look like this:

     secret/consumer-2-key-auth created
    
  4. Create a consumer named consumer-2.

    echo "apiVersion: configuration.konghq.com/v1
    kind: KongConsumer
    metadata:
     name: consumer-2
     annotations:
       kubernetes.io/ingress.class: kong
    username: consumer-2
    credentials:
    - consumer-2-key-auth
    " | kubectl apply -f -
    

    The results should look like this:

     kongconsumer.configuration.konghq.com/consumer-2 created
    

Secure the Ingress

  1. Create two plugins.

    • Create a plugin named httpbin-basic-auth.
     echo '
     apiVersion: configuration.konghq.com/v1
     kind: KongPlugin
     metadata:
       name: httpbin-basic-auth
     config:
       anonymous: anonymous
       hide_credentials: true
     plugin: basic-auth
     ' | kubectl apply -f -
    

    The results should look like this:

     kongplugin.configuration.konghq.com/httpbin-basic-auth created
    
    • Create a plugin named httpbin-key-auth.
     echo '
     apiVersion: configuration.konghq.com/v1
     kind: KongPlugin
     metadata:
       name: httpbin-key-auth
     config:
       key_names:
         - apikey
       anonymous: anonymous
       hide_credentials: true
     plugin: key-auth
     ' | kubectl apply -f -
    

    The results should look like this:

     kongplugin.configuration.konghq.com/httpbin-key-auth created
    
  2. Associate the plugins with the Ingress rule that you created.

     kubectl patch ingress demo -p '{"metadata":{"annotations":{"konghq.com/plugins":"httpbin-basic-auth, httpbin-key-auth"}}}'
    

    The results should look like this:

     ingress.networking.k8s.io/demo patched
    

Anonymous Consumers

Your endpoints are now secure, but neither consumer can access the endpoint when providing valid credentials. This is because each plugin will verify the consumer using it’s own authentication method.

To allow multiple authentication methods, create an anonymous consumer which is the default user if no valid credentials are provided:

  1. Create a consumer named anonymous.

    echo "apiVersion: configuration.konghq.com/v1
    kind: KongConsumer
    metadata:
     name: anonymous
     annotations:
       kubernetes.io/ingress.class: kong
    username: anonymous
    " | kubectl apply -f -
    

    The results should look like this:

     kongconsumer.configuration.konghq.com/anonymous created
    

    All requests to the API will now succeed as the anonymous consumer is being used as a default.

    To secure the API once again, add a request termination plugin to the anonymous consumer that returns HTTP 401:

  2. Create a Request Termination plugin.

     echo '
     apiVersion: configuration.konghq.com/v1
     kind: KongPlugin
     metadata:
       name: anonymous-request-termination
     config:
       message: "Authentication required"
       status_code: 401
     plugin: request-termination
     ' | kubectl apply -f -
    

    The results should look like this:

     kongplugin.configuration.konghq.com/anonymous-request-termination created
    
  3. Associate the Request Termination plugin to the anonymous consumer.

     echo '
     apiVersion: configuration.konghq.com/v1
     kind: KongConsumer
     metadata:
       annotations:
         konghq.com/plugins: anonymous-request-termination
         kubernetes.io/ingress.class: kong
       name: anonymous
     username: anonymous
     ' | kubectl apply -f -
    

    The results should look like this:

     kongconsumer.configuration.konghq.com/anonymous configured
    

Test the configuration

Any requests with missing or invalid credentials are rejected, whereas authorized requests using either of the authentication methods are allowed.

  1. Send a request with invalid credentials.
     curl -i $PROXY_IP/test/status/200 -H apikey:invalid
    

    The results should look like this:

     HTTP/1.1 401 Unauthorized
     Content-Type: application/json; charset=utf-8
     Connection: keep-alive
     WWW-Authenticate: Key realm="kong"
     Content-Length: 37
     X-Kong-Response-Latency: 3
     Server: kong/3.3.1
        
     {"message":"Authentication required"}% 
    
  2. Send a request without any credentials.
     curl -i $PROXY_IP/test/status/200
    

    The results should look like this:

     HTTP/1.1 401 Unauthorized
     Content-Type: application/json; charset=utf-8
     Connection: keep-alive
     WWW-Authenticate: Key realm="kong"
     Content-Length: 37
     X-Kong-Response-Latency: 1
     Server: kong/3.3.1
        
     {"message":"Authentication required"}%
    
  3. Send a request using the basic-auth authentication method
     curl -i $PROXY_IP/test/status/200 -u consumer-1:consumer-1-password
    

    The results should look like this:

     HTTP/1.1 200 OK
     Content-Type: text/html; charset=utf-8
     Content-Length: 0
     Connection: keep-alive
     WWW-Authenticate: Key realm="kong"
     Server: gunicorn/19.9.0
     Access-Control-Allow-Origin: *
     Access-Control-Allow-Credentials: true
     X-Kong-Upstream-Latency: 1309
     X-Kong-Proxy-Latency: 3
     Via: kong/3.3.1
    
  4. Send a request using the key-auth authentication method
     curl -i $PROXY_IP/test/status/200 -H apikey:consumer-2-password
    

    The results should look like this:

     HTTP/1.1 200 OK
     Content-Type: text/html; charset=utf-8
     Content-Length: 0
     Connection: keep-alive
     Server: gunicorn/19.9.0
     Access-Control-Allow-Origin: *
     Access-Control-Allow-Credentials: true
     X-Kong-Upstream-Latency: 1227
     X-Kong-Proxy-Latency: 4
     Via: kong/3.3.1
    
Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023