Set up API Authentication
For security reasons, API7 Enterprise should authenticate and authorize consumers before they access internal resources. API7 Enterprise has a flexible plugin extension system and a number of plugins for user authentication and authorization are provided. For example:
This guide walks you through how to enable key authentication for a service and a route.
Prerequisites
- Obtain a user account with Super Admin or API Provider role.
- Publish a service.
Set Up Key Authentication for a Service
If you want to enable key authentication for all existing and future routes of a service, enable the key-auth plugin at the service level. This prevents enabling additional authentication plugins at the route level.
Since plugin configurations are not considered as Runtime Configurations, you should modify it in the service template and then publish a new version to the gateway group.
- Select Services from the side navigation bar and then select Swagger Petstore.
- Select Plugins from the side navigation bar.
- In the Plugins field, search the
key-authplugin. - Click the Plus icon (+).
- Click Enable.
- Select Services from the side navigation bar and then click Publish New Version for the
Swagger Petstoreservice. - Choose the
Test Groupgateway group and then click Next. - From the dialog box, do the following:
- In the New Version field, enter
1.0.1. - Leave the nodes unchanged and then click Publish.
- In the New Version field, enter
Set Up Key Authentication for a Route
If you want to enable key authentication for a route, try enable the key-auth plugin at the route level.
This prevents enabling plugins at the service level.
Since plugin configurations are not considered Runtime Configurations, you should modify it in the service template and then publish a new version to the gateway group.
- Select Services from the side navigation bar and then select Swagger Petstore.
- Select Routes from the side navigation bar and then select getPetById.
- In the Plugins field, search the
key-authplugin. - Click the Plus icon (+).
- Click Enable.
- Select Services from the side navigation bar and then click Publish New Version for the
Swagger Petstoreservice. - Choose the
Test Groupgateway group and then click Next. - From the dialog box, do the following:
- In the New Version field, enter
1.0.1. - Leave the nodes unchanged and then click Publish.
- In the New Version field, enter
Validate
Authentication should be set up both on the service and on the Consumers.
Add a Consumer
- Select Consumers from the side navigation bar and then click Add Consumer.
- In the Gateway Group field, choose
Test Group, and in the Name field enterAlice. - Click Add.
Enable Key Authentication for the Consumer
Select Consumers from the side navigation bar and then select Alice.
In the Plugins field, search the
key-authplugin.Click the Plus icon (+) and a dialog box appears.
Apply the following configuration to the JSON Editor:
{
"key": "secret-key"
}Click Enable.
Send a Request without a Key
curl -i "http://127.0.0.1:9080/pet/1"
Since the key is not provided, you will receive an HTTP/1.1 401 Unauthorized response.
HTTP/1.1 401 Unauthorized
Date: Fri, 01 Sep 2023 03:06:51 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/dev
{"message":"Missing API key found in request"}
Send a Request with a Wrong Key
curl -i "http://127.0.0.1:9080/pet/1" -H "apikey: wrongkey"
HTTP/1.1 401 Unauthorized
Date: Fri, 01 Sep 2023 03:08:00 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/dev
{"message":"Invalid API key in request"}
Send a Request with a Correct Key
curl -i "http://127.0.0.1:9080/pet/1" -H "apikey: secret-key"
HTTP/1.1 200 OK
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 119
X-RateLimit-Reset: 1693537822
{
"name": "Dog",
"photoUrls": [
"https://example.com/dog-1.jpg",
"https://example.com/dog-2.jpg"
],
"id": 1,
"category": {
"id": 1,
"name": "pets"
},
"tags": [
{
"id": 1,
"name": "friendly"
},
{
"id": 2,
"name": "smart"
}
],
"status": "available"
}