Every principal carries some combination of credentials, identities, and metadata.
Credentials are secrets a principal presents at authentication time.
You need an API Gateway configured in Konnect to use credentials because the gateway checks them directly against the directory and authenticates the principal.
Kong Identity supports the following credential types:
-
Username and password: A principal can have up to two passwords per username to support rotation. Principals in the same directory can’t share a username.
-
API key: Each API key must be unique within a directory.
API keys can be system-generated by Kong Identity or imported with a custom secret value.
A single principal can have multiple credentials, including multiple credentials of the same type.
To authenticate using a credential, a principal must exist in the target directory with a matching credential set.
Identities are how other systems recognize the principal.
Kong Identity uses them either:
- For lookup after authentication has already happened somewhere else (like a third-party IdP).
- To link a principal to an entity in another Kong product.
You can add identities to the principal as a separate resource after you’ve created a principal.
Kong Identity supports the following identity types:
|
Type
|
API value
|
Description
|
|
OIDC
|
oidc
|
References a principal authenticated by an external IdP, such as Okta or Cognito. Identified by the token’s issuer URL and a configurable claim (claim name and value). Most commonly the claim is sub, but any claim in the token can be used for lookup.
|
|
Auth server client
|
auth_server_client
|
References a Kong Identity auth server client in the same region. Identified by the auth server ID and client ID.
|
|
Consumer
|
control_plane_consumer
|
Links the principal to a Consumer in a specific Kong Gateway control plane. Use this identity to apply existing Consumer-scoped plugins to a principal’s traffic.
|
|
Custom
|
custom
|
A user-defined key and value, used to look up a principal by an identifier from an external system. For example, a sasl_username key with value john lets Event Gateway match a SASL-authenticated Kafka client to a principal.
|
A single principal can have multiple identities, including multiple of the same type.
Lookup caching and time-to-live (TTL): Kong Identity caches principal lookups, so additional lookups don’t require a connection to Kong Identity until it evicts the cache. For Kong Gateway, the eviction rate depends on the smallest of the following:
- The TTL set on the directory (10 minutes by default)
- The TTL set on a credential
- The caching configuration on Kong Gateway. Cached principals are in the general cache pool which can be configured by setting
db_cache_ttl.
Principals centralize the concept of an authenticating entity across Kong products.
Each product has its own representation of who is authenticating: Kong Gateway has Consumers and Dev Portal has applications:
-
Consumers: Attach a
control_plane_consumer identity to map a principal to a Consumer in a specific Kong Gateway control plane. When a Kong Identity-compatible authentication plugin authenticates the principal, the mapped Consumer loads into the request context just as if the Consumer had been authenticated directly. This allows existing Consumer-scoped plugins to function while you migrate to principals.
-
Consumer Groups: Map a principal to one or more Consumer Groups by setting the reserved
consumer_groups key in the principal’s metadata to a list of Consumer Group UUIDs. Consumer Groups have a many-to-many relationship with principals:
- The same group can map to many principals
- One principal can map to many groups.
If the principal is also mapped to a Consumer and that Consumer belongs to its own Consumer Groups, the gateway loads the union of both sets into the request context. Only Consumer Groups that are defined in the same Kong Gateway as the control plane will be loaded into the request context.
-
Applications: You can map a Dev Portal application to a Kong Gateway Consumer through a principal, creating a 1:1:1 relationship between the application, the principal, and the Consumer. This is how you apply Consumer-scoped plugins (including ACE and KAA) to traffic from a Dev Portal application: configure the plugin on the mapped Consumer, and it runs for any request authenticated as the application. Consumer-dimension analytics also include the application’s activity once the mapping is in place. A Portal Admin maps an existing application to an existing Consumer; Kong Identity creates or updates the principal of type application behind the scenes.
Since application to Consumer linking uses Kong Identity in the backend, there may be some latency impact to the first request.
Kong Gateway Consumers have limitations that principals can address:
-
Scale beyond Consumer limits: Users with large populations of authenticating entities can exceed the Consumer control plane limits. Consumers are loaded into data plane memory while principals are loaded on demand when they authenticate.
-
Share identity across gateways without manual sync: When the same entity needs to authenticate to multiple gateways, Consumers must be replicated. A principal lives in one directory and can be referenced from any gateway in the same region.
-
Unify identity across Kong products: Consumers and applications each represent the same logical entity in different ways, which makes it hard to reason about authentication, policy, and observability together. Principals replace that with one model.
-
Attach metadata to identity: Consumers don’t support metadata, which forces custom plugins or header-injection workarounds when you want per-entity rate limits, conditional plugin behavior, or richer logs. Principals support metadata natively.
Metadata is a set of key-value pairs associated with a principal. Kong Identity authenticates or looks up a principal, then makes the metadata available in the request context of a Kong Gateway or Event Gateway.
You can use metadata to configure how a gateway behaves when that principal is authenticated to it.
For example, a Request Termination plugin can block access only when principal.metadata.business_unit == "payments".