Key Authentication

Features

The key-auth plug-in implements the authentication function based on the API Key, supports parsing the API Key from the URL parameter or request header of the HTTP request, and verifies whether the API Key has permission to access.

Configuration field

NameData TypeParameter requirementsDefaultDescription
consumersarray of objectRequired-Configure the caller of the service to authenticate the request.
keysarray of stringRequired-The name of the source field of the API Key, which can be a URL parameter or an HTTP request header name.
inqueryboolAt least one of in_query and in_header must be true.trueWhen configured true, the gateway will try to parse the API Key from the URL parameters.
in_headerboolThe same as above.trueThe same as above.
_rulesarray of objectOptional-Configure the access list of a specific route or domain name for authenticating requests.

The configuration fields of each item in consumers are described as follows:

NameData TypeParameter requirementsDefaultDescription
credentialstringRequired-Configure the consumer’s access credentials.
namestringRequired-Configure the name of the consumer.

The configuration fields of each item in _rules_ are described as follows:

NameData TypeParameter requirementsDefaultDescription
match_routearray of stringOptional,Optionally fill in one of match_route, match_domain.-Configure the route name to match.
match_domainarray of stringOptional,Optionally fill in one of match_route, match_domain.-Configure the domain name to match.
allowarray of stringRequired-For requests that meet the matching conditions, configure the name of the consumer that is allowed to access.

Warning:

  • If the _rules_ field is not configured, authentication will be enabled for all routes of the current gateway instance by default;
  • For a request that passes authentication, an X-Mse-Consumer field will be added to the request header to identify the name of the caller.

Example configuration

Enabled for specific routes or domains

The following configuration will enable Key Auth authentication and authentication for gateway-specific routes or domain names. Note that the credential field can not be repeated.

  1. consumers:
    - credential: 2bda943c-ba2b-11ec-ba07-00163e1250b5
    name: consumer1
    - credential: c8c8e9ca-558e-4a2d-bb62-e700dcc40e35
    name: consumer2
    keys:
    - apikey
    inquery: true
    # Use the _rules field for fine-grained rule configuration
    rules:
    # Rule 1: Match by route name to take effect
    - match_route:
    - route-a
    - route-b
    allow:
    - consumer1
    # Rule 2: Take effect by domain name matching
    - match_domain:
    - “*.example.com”
    - test.com
    allow:
    - consumer2

The route-a and route-b specified in _match_route_ in this example are the route names filled in when creating the gateway route. When these two routes are matched, calls whose name is consumer1 will be allowed Access by callers, other callers are not allowed to access;

*.example.com and test.com specified in _match_domain_ in this example are used to match the domain name of the request. When the domain name matches, the caller whose name is consumer2 will be allowed to access, and other calls access is not allowed.

Depending on this configuration, the following requests would allow access:

Assume that the following request will match the route-a route:

Set the API Key in the url parameter

Set the API Key in the http request header

  1. curl http://xxx.hello.com/test -H ‘x-api-key: 2bda943c-ba2b-11ec-ba07-00163e1250b5’

After the authentication is passed, an X-Mse-Consumer field will be added to the header of the request. In this example, its value is consumer1, which is used to identify the name of the caller.

The following requests will deny access:

The request does not provide an API Key, return 401

The API Key provided by the request is not authorized to access, return 401

The caller matched according to the API Key provided in the request has no access rights, return 403

  1. # consumer2 is not in the allow list of route-a

Gateway instance level enabled

The following configuration does not specify the _rules_ field, so Key Auth authentication will be enabled at the gateway instance level.

  1. consumers:
    - credential: 2bda943c-ba2b-11ec-ba07-00163e1250b5
    name: consumer1
    - credential: c8c8e9ca-558e-4a2d-bb62-e700dcc40e35
    name: consumer2
    keys:
    - apikey
    in_query: true

Error code

HTTP status codeError informationReason
401No API key found in request.API not provided by request Key.
401Request denied by Key Auth check. Invalid API key.Current API Key access is not allowed.
403Request denied by Basic Auth check. Unauthorized consumer.The requested caller does not have access.