Key Authentication
Authentication is the process of verifying that a requester has permissions to access a resource. API gateway authentication authenticates the flow of data to and from your upstream services.
Kong Gateway has a library of plugins that support the most widely used methods of API gateway authentication.
Common authentication methods include:
- Key Authentication
- Basic Authentication
- OAuth 2.0 Authentication
- LDAP Authentication Advanced
- OpenID Connect
Authentication benefits
With Kong Gateway controlling authentication, requests won’t reach upstream services unless the client has successfully authenticated. This means upstream services process pre-authorized requests, freeing them from the cost of authentication, which is a savings in compute time and development effort.
Kong Gateway has visibility into all authentication attempts and enables you to build monitoring and alerting capabilities which support service availability and compliance.
For more information, see What is API Gateway Authentication?.
Add authentication to the echo service
-
Create a new
key-auth
plugin.echo " apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: key-auth plugin: key-auth config: key_names: - apikey " | kubectl apply -f -
-
Apply the
key-auth
plugin to theecho
service in addition to the previousrate-limit
plugin.kubectl annotate service echo konghq.com/plugins=rate-limit-5-min,key-auth --overwrite
-
Test that the API is secure by sending a request using
curl -i $PROXY_IP/echo
. Observe that aHTTP 401
is returned with this message:HTTP/1.1 401 Unauthorized Date: Wed, 11 Jan 2044 18:33:46 GMT Content-Type: application/json; charset=utf-8 WWW-Authenticate: Key realm="kong" Content-Length: 45 X-Kong-Response-Latency: 1 Server: kong/3.8.0 { "message":"No API key found in request" }
Set up consumers and keys
Key authentication in Kong Gateway works by using the consumer object. Keys are assigned to consumers, and client applications present the key within the requests they make.
Keys are stored as Kubernetes Secrets
and consumers are managed with the KongConsumer
CRD.
-
Create a new
Secret
labeled to usekey-auth
credential type.echo ' apiVersion: v1 kind: Secret metadata: name: alex-key-auth labels: konghq.com/credential: key-auth stringData: key: hello_world ' | kubectl apply -f -
-
Create a new consumer and attach the credential.
echo "apiVersion: configuration.konghq.com/v1 kind: KongConsumer metadata: name: alex annotations: kubernetes.io/ingress.class: kong username: alex credentials: - alex-key-auth " | kubectl apply -f -
-
Make a request to the API and provide your
apikey
:curl -H 'apikey: hello_world' $PROXY_IP/echo
The results should look like this:
Welcome, you are connected to node orbstack. Running on Pod echo-965f7cf84-mvf6g. In namespace default. With IP address 192.168.194.10.
Next Steps
Congratulations! By making it this far you’ve deployed Kong Ingress Controller, configured a service and route, added rate limiting, proxy caching and API authentication all using your normal Kubernetes workflow.
You can learn more about the available plugins (including Kubernetes configuration instructions) on the Plugin Hub. For more information about Kong Ingress Controller and how it works, see the architecture page.