You are browsing documentation for an older version. See the latest documentation here.

Key Authentication

Authentication is the process of verifying that a requester has permissions to access a resource. API gateway authentication authenticates the flow of data to and from your upstream services.

Kong Gateway has a library of plugins that support the most widely used methods of API gateway authentication.

Common authentication methods include:

• Key Authentication
• Basic Authentication
• OAuth 2.0 Authentication
• LDAP Authentication Advanced
• OpenID Connect

Authentication benefits

With Kong Gateway controlling authentication, requests won’t reach upstream services unless the client has successfully authenticated. This means upstream services process pre-authorized requests, freeing them from the cost of authentication, which is a savings in compute time and development effort.

Kong Gateway has visibility into all authentication attempts and enables you to build monitoring and alerting capabilities which support service availability and compliance.

For more information, see What is API Gateway Authentication?.

Add authentication to the echo service

1. Create a new key-auth plugin.

    echo "
    apiVersion: configuration.konghq.com/v1
    kind: KongPlugin
    metadata:
      name: key-auth
    plugin: key-auth
    config:
      key_names:
      - apikey
    " | kubectl apply -f -
   

2. Apply the key-auth plugin to the echo service in addition to the previous rate-limit plugin.

    kubectl annotate service echo konghq.com/plugins=rate-limit-5-min,key-auth --overwrite
   

3. Test that the API is secure by sending a request using curl -i $PROXY_IP/echo. Observe that a HTTP 401 is returned with this message:

    HTTP/1.1 401 Unauthorized
    Date: Wed, 11 Jan 2044 18:33:46 GMT
    Content-Type: application/json; charset=utf-8
    WWW-Authenticate: Key realm="kong"
    Content-Length: 45
    X-Kong-Response-Latency: 1
    Server: kong/3.9.0
   
    {
      "message":"No API key found in request"
    }
   

Set up consumers and keys

Key authentication in Kong Gateway works by using the consumer object. Keys are assigned to consumers, and client applications present the key within the requests they make.

Keys are stored as Kubernetes Secrets and consumers are managed with the KongConsumer CRD.

1. Create a new Secret labeled to use key-auth credential type.

    echo '
    apiVersion: v1
    kind: Secret
    metadata:
       name: alex-key-auth
       labels:
          konghq.com/credential: key-auth
    stringData:
       key: hello_world
    ' | kubectl apply -f -
   

2. Create a new consumer and attach the credential.

    echo "apiVersion: configuration.konghq.com/v1
    kind: KongConsumer
    metadata:
      name: alex
      annotations:
        kubernetes.io/ingress.class: kong
    username: alex
    credentials:
    - alex-key-auth
    " | kubectl apply -f -
   

3. Make a request to the API and provide your apikey:

    curl -H 'apikey: hello_world' $PROXY_IP/echo
   

   The results should look like this:

    Welcome, you are connected to node orbstack.
    Running on Pod echo-965f7cf84-mvf6g.
    In namespace default.
    With IP address 192.168.194.10.
   

Next Steps

Congratulations! By making it this far you’ve deployed Kong Ingress Controller, configured a service and route, added rate limiting, proxy caching and API authentication all using your normal Kubernetes workflow.

You can learn more about the available plugins (including Kubernetes configuration instructions) on the Plugin Hub. For more information about Kong Ingress Controller and how it works, see the architecture page.