Home / Kong Gateway
Edit
Report

Authentication

All Gateway Documentation

What is authentication?

Authentication is the process of verifying that a requester has permissions to access a resource. As its name implies, API gateway authentication controls the flow of data between clients and the gateway.

With Kong Gateway controlling authentication, requests won’t reach upstream services unless the client has successfully authenticated. This means upstream services process pre-authorized requests, freeing them from the cost of authentication, which is a savings in compute time and development effort.

Kong Gateway has a library of plugins that support the most widely used methods of API gateway authentication.

Common authentication methods

Basic authentication

Basic authentication is a simple authentication method that uses a base64-encoded username and password combination as token.

Get started Plugin reference

OAuth 2.0 authentication

OAuth 2.0 is a protocol that relies on an application to authorize access to Services and Routes.

Get started Plugin reference

OpenID Connect Authentication

OpenID Connect (OIDC) is an authentication protocol based on OAuth 2.0. It works with identity providers to verify a user’s identity without storing credentials.

Get started Plugin reference

SAML Authentication

SAML is a standard used to exchange authentication and authorization information between an identity provider and a service provider.

Get started Plugin reference

OAuth 2.0 Introspection

Integrate Kong Gateway with a third-party OAuth 2.0 Authorization Server.

Get started Plugin reference

Sessions for authentication

The Session plugin supports sessions for Kong authentication plugins.

Get started Plugin reference

Key authentication

Key authentication generates an API key for a Consumer, which can be passed in an apikey header to access Services and Routes.

Get started with open-source Key Auth Key Auth plugin reference Get started with Key Auth Encrypted Key Auth Encrypted plugin reference

LDAP authentication

LDAP is a protocol that uses a directory to check credentials provided by a client.

Get started with open-source LDAP LDAP Auth plugin reference Get started with LDAP Auth Advanced LDAP Auth Advanced plugin reference

Admin authentication

RBAC

RBAC manages Kong Gateway roles and permissions for Kong Manager and the Admin API.

See reference →

Admins

Admins can manage Kong Gateway entities inside Workspaces, including users and their roles.

See reference →

Groups

Groups are a resource for RBAC and can be used to assign Roles across sets of users.

See reference →

Workspaces

Workspaces provide a way to segment Kong Gateway entities. Entities in a Workspace are isolated from those in other Workspaces.

See reference →

Why is authentication important?

Kong Gateway authentication plugins protect your upstream services from unauthorized access. This means upstream services process pre-authorized requests, freeing them from the cost of authentication, which is a savings in compute time and development effort.

Kong Gateway offers tools that give visibility into all authentication attempts, which provides the ability to build monitoring and alerting capabilities supporting Service availability and compliance.

For more information, see What is API Gateway Authentication in our Learning Center.

Authentication in Kong Gateway

Kong Gateway provides several plugins to add authentication to the Kong Gateway API.

See all authentication plugins →

Authentication in KIC

KIC relies on Kong Gateway’s Plugins, but configuring them with Kong Ingress Controller is different.

Rather than attaching a configuration directly to a Service or Route, you create a KongPlugin definition and then annotate your Kubernetes resource with the konghq.com/plugins annotation.

Add authentication using KIC →

Konnect SSO

Konnect supports external single sign-on authentication using an OIDC or SAML-compliant Identity Provider (IdP). You can enable authentication for the Konnect platform as well as Dev Portal.

Add SSO to Konnect →

Using multiple authentication methods

You can configure multiple authentication plugins, such as Basic Authentication and Key Authentication, on a Gateway Service. This allows clients to use different authentication methods to access the associated Gateway Service or Route. When multiple authentication plugins are configured, they must all either be configured to always perform authentication or to only perform authentication if the Consumer wasn’t already authenticated. This configuration is controlled by the config.anonymous property in the plugin schema:

  • When config.anonymous is not set: Authentication is always performed and a 4xx error is returned if the Consumer isn’t validated. With this method, the last plugin executed will be the one setting the credentials passed to the upstream service.
  • When config.anonymous is set to a valid Consumer: Authentication is only performed if the Consumer isn’t already authenticated. When authentication fails, it won’t return a 40x response. Instead, it sets the anonymous Consumer as the Consumer. With this method, the first plugin that successfully authenticates the Consumer sets the credentials passed to the upstream service or the last plugin that sets its configured anonymous Consumer.

If you enable anonymous access so that authentication isn’t always performed but you don’t want unauthorized users to access the Gateway Service or Route, you can configure the Request Termination plugin on the anonymous Consumer.

Note: If you configure the OAuth2 plugin and don’t set config.anonymous, then the OAuth2 endpoints for requesting tokens and so forth will require authentication by the other configured auth plugins.

How-to guides

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support