Skip to main content

Version: 3.11.0

Consumers

In this document, you will learn the basic concepts of consumers in APISIX and why you need them. You will be introduced to a few relevant concepts, including how to pass consumer information to upstream, consumer access restriction, as well as consumer authentication and authorization.

Explore additional resources at the end of the document for more information on related topics.

Overview

In APISIX, a consumer object represents a user, application, or host that sends requests to the API gateway and consumes backend services. It is used in conjunction with the authentication system; that is, every consumer is associated with at least one authentication plugin.

Consumer objects come in handy if you have different consumers sending requests to your system, and you need APISIX to perform certain functions, such as rate limiting, based on consumers. These functionalities are provided by APISIX plugins configured in consumers.

The following diagram illustrates an example of APISIX with one key-auth enabled route and two consumers, John and Jane. John and Jane each authenticates to the route with their credentials. Only authenticated requests are then allowed to access the upstream resource:

consumers diagram

The configuration above ensures if a request is sent to APISIX:

  • without any key or with a wrong key, the request is rejected.
  • with john-key, the request is authenticated and forwarded to the upstream service.
  • with jane-key, the request is authenticated and forwarded to the upstream service. The rate limiting plugin limit-count on the consumer also takes effect, limiting the number of requests to a maximum of 2 within any 5-second window. If the rate limit threshold is exceeded, the request will be rejected.

Note that when a consumer is successfully authenticated, APISIX adds additional headers, such as X-Consumer-Username, X-Credential-Indentifier, X-Consumer-Custom-ID, to the request, before proxying it to the upstream service. The upstream service will be able to differentiate between consumers and implement additional logics as needed. If any of these values is not available, the corresponding header will not be added.

Passing Consumer Information to Upstream

For certain use cases, such as logging, analytics, and auditing, you might want to pass consumer information to upstream services. Consumer information, by default, is not exposed to upstream; however, you can use proxy-rewrite plugin to include the needed information in the header:

{
"plugins":{
...,
"proxy-rewrite":{
"headers":{
"set":{
"X-Consumer-Name":"$consumer_name"
}
}
}
}
}

Consumer Access Restriction

You can control request access to your API by imposing restrictions based on consumer name, HTTP methods, or other parameters in the consumer-restriction plugin.

For example, if you want to blacklist Jane from accessing your upstream service without changing any consumers configuration in the example from overview, you can update the plugin's configuration in route to the following:

{
"plugins":{
"key-auth":{},
"consumer-restriction":{
"blacklist":["Jane"]
}
}
}

Or, if you want to strictly allow FetchBot's access by HTTP GET method, you can update the plugin's configuration (in either the route or the consumer) to the following:

{
"plugins":{
...,
"consumer-restriction":{
"allowed_by_methods":[
{
"user":"FetchBot",
"methods":["GET"]
}
]
}
}
}

The consumer-restriction plugin can also be used with routes, services, and consumer groups.

Authentication & Authorization

There are two main design patterns for building authentication and authorization in an APISIX-based architecture.

The first and most commonly adopted approach is to authenticate and authorize requests through a third-party identity provider (IdP), such as Keycloak:

APISIX integration with an IdP

In some environments, a request might need to go through more than one IdP before it can be forwarded to the upstream service. In such cases, you can configure multiple authentication plugins, each corresponding to an IdP, on one consumer; only when all IdPs have granted access to a request will APISIX show success response.

With multiple authentication plugins in place, the plugins order of execution is determined by the plugin's priority, which can be overridden with _meta.priority.

The second and a more basic approach is to perform authentication and authorization on the API gateway itself, using key-auth, basic-auth, jwt-auth, hmac-auth plugins:

APISIX performs auth without IdP

For details about how to configure authentication and authorization for your specific needs, please refer to the authentication chapter in How-To Guides (coming soon).

Additional Resource(s)


API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation