Key Authentication
An API gateway's primary role is to connect API consumers and providers. For security reasons, it should authenticate and authorize consumers before access to internal resources.
APISIX has a flexible plugin extension system and a number of existing plugins for user authentication and authorization. For example:
- Key Authentication
- Basic Authentication
- JSON Web Token (JWT) Authentication
- Keycloak
- Casdoor
- Wolf RBAC
- OpenID Connect
- Central Authentication Service (CAS)
- HMAC
- Casbin
- LDAP
- Open Policy Agent (OPA)
- Forward Authentication
In this tutorial, you will create a consumer with key authentication, and learn how to enable and disable key authentication.
Key Concepts
Consumer
A consumer is an application or a developer who consumes the API.
In APISIX, a consumer requires a unique username to be created. As part of the key authentication configuration, you would also add one of the authentication plugins from the list above to the consumer's plugin field.
Key Authentication
Key authentication is a relatively simple but widely used authentication approach. The idea is as follows:
- Administrator adds an authentication plugin to the route.
- API consumers attach the key to the query string or headers for authentication when sending requests.
Prerequisite(s)
- Complete Get APISIX to install APISIX on Docker or Kubernetes.
- Complete Configure Routes.
Start a Sample Upstream Service
If you are running APISIX in Kubernetes, you will be deploying an httpbin application to your cluster in this section. Otherwise, skip to the next section where you will be using the hosted httpbin application as the upstream.
Start a sample httpbin application:
kubectl run httpbin --image kennethreitz/httpbin --port 80
You should see a pod/httpbin created response.
Expose the application's port 80 through a service:
kubectl expose pod httpbin --port 80
You should see a service/httpbin exposed response.
Configure Key Authentication
- Admin API
- ADC
- Ingress Controller
Create a Consumer
Create a consumer named tom and enable the key-auth plugin with an API key secret-key. All requests sent with the key secret-key should be authenticated as tom.
Please use a complex key in the production environment.
curl -i "http://127.0.0.1:9180/apisix/admin/consumers" -X PUT -d '
{
"username": "tom",
"plugins": {
"key-auth": {
"key": "secret-key"
}
}
}'
You will receive an HTTP/1.1 201 Created response if the consumer was created successfully.
Enable Authentication
Update the getting-started-ip route from Configure Routes to add the key-auth plugin:
curl -i "http://127.0.0.1:9180/apisix/admin/routes/getting-started-ip" -X PATCH -d '
{
"plugins": {
"key-auth": {}
}
}'
You will receive an HTTP/1.1 200 OK response if the plugin was added successfully.
Create an ADC configuration file containing a consumer and a route:
consumers:
- username: tom
plugins:
key-auth:
key: secret-key
services:
- name: httpbin Service
routes:
- uris:
- /ip
name: getting-started-ip
plugins:
key-auth: {}
upstream:
type: roundrobin
nodes:
'httpbin.org:80': 1
Synchronize the configuration to APISIX:
adc sync -f adc.yaml
Create a Kubernetes manifest file to configure a consumer using the ApisixConsumer custom resource:
apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
name: tom
namespace: ingress-apisix
spec:
authParameter:
keyAuth:
value:
key: "secret-key"
Create another manifest file for a route, where key authentication is enabled:
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpbin-route
namespace: ingress-apisix
spec:
http:
- name: httpbin-route
match:
paths:
- /ip
backends:
- serviceName: httpbin
servicePort: 80
authentication:
enable: true
type: keyAuth
Apply the configurations to your cluster:
kubectl apply -f httpbin-route.yaml -f consumer.yaml
You should see the following responses:
apisixconsumer.apisix.apache.org/tom created
apisixroute.apisix.apache.org/httpbin-route created
Verify
You will be verifying if the key authentication is successfully enabled in this section.
Send a Request without Any Key
Send a request without the apikey header.
curl -i "http://127.0.0.1:9080/ip"
Since the key is not provided, you will receive an unauthorized HTTP/1.1 401 Unauthorized response.
Send a Request with a Wrong Key
Send a request with a wrong key in the apikey header.
curl -i "http://127.0.0.1:9080/ip" -H 'apikey: wrong-key'
Since the key is incorrect, you will receive an HTTP/1.1 401 Unauthorized response.
Send a Request with the Correct Key
Send a request with the correct key in the apikey header.
curl -i "http://127.0.0.1:9080/ip" -H 'apikey: secret-key'
Since the correct key is provided, you will receive an HTTP/1.1 200 OK response.
Disable Authentication
Disable the key authentication plugin by setting the _meta.disable parameter to true.
- Admin API
- ADC
- Ingress Controller
curl "http://127.0.0.1:9180/apisix/admin/routes/getting-started-ip" -X PATCH -d '
{
"plugins": {
"key-auth": {
"_meta": {
"disable": true
}
}
}
}'
consumers:
- username: tom
plugins:
key-auth:
key: secret-key
services:
- name: httpbin Service
routes:
- uris:
- /ip
name: getting-started-ip
plugins:
key-auth:
_meta:
disable: true
upstream:
type: roundrobin
nodes:
'httpbin.org:80': 1
Synchronize the configuration to APISIX:
adc sync -f adc.yaml
Update the route configuration file as such:
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpbin-route
namespace: ingress-apisix
spec:
http:
- name: httpbin-route
match:
paths:
- /ip
backends:
- serviceName: httpbin
servicePort: 80
authentication:
enable: false
type: keyAuth
Apply the configuration to your cluster:
kubectl apply -f httpbin-route.yaml
You should see the following response:
apisixroute.apisix.apache.org/httpbin-route configured
Send a request without any key to verify:
curl -i "http://127.0.0.1:9080/ip"
Since key authentication is disabled, you will receive an HTTP/1.1 200 OK response.
What's Next
You have learned how to configure key authentication for a route. In the next tutorial, you will learn how to configure rate limiting.