Authentication
What is authentication?
Authentication is the process of verifying that a requester has permissions to access a resource. As its name implies, API gateway authentication controls the flow of data between clients and the gateway.
With Kong Gateway controlling authentication, requests won’t reach upstream services unless the client has successfully authenticated. This means upstream services process pre-authorized requests, freeing them from the cost of authentication, which is a savings in compute time and development effort.
Kong Gateway has a library of plugins that support the most widely used methods of API gateway authentication.
Basic Authentication
Basic authentication is a simple authentication method that uses a base64-encoded username and password combination as token.
Key Authentication
Key authentication generates an API key for a consumer, which can be passed in an apikey
header to access services and routes.
Open-source plugin:
Advanced Enterprise plugin with enhanced capabilities:
LDAP Authentication
LDAP is a protocol that uses a directory to check credentials provided by a client.
Open source plugin:
Advanced Enterprise plugin with enhanced capabilities:
OAuth 2.0 Authentication
OAuth 2.0 is a protocol that relies on an application to authorize access to services and routes.
OpenID Connect Authentication
OpenID Connect (OICD) is an authentication protocol based on OAuth 2.0. It works with identity providers to verify a user’s identity without storing credentials.
SAML Authentication
SAML is a standard used to exchange authentication and authorization information between an identity provider and a service provider.
Why is authentication important?
With Kong Gateway controlling authentication, requests won’t reach upstream services unless the client has successfully authenticated. This means upstream services process pre-authorized requests, freeing them from the cost of authentication, which is a savings in compute time and development effort.
Kong Gateway has visibility into all authentication attempts, which provides the ability to build monitoring and alerting capabilities supporting service availability and compliance.
For more information, see What is API Gateway Authentication.