Key Authentication
Features
The key-auth
plug-in implements the authentication function based on the API Key, supports parsing the API Key from the URL parameter or request header of the HTTP request, and verifies whether the API Key has permission to access.
Configuration field
Name | Data Type | Parameter requirements | Default | Description |
---|---|---|---|---|
consumers | array of object | Required | - | Configure the caller of the service to authenticate the request. |
keys | array of string | Required | - | The name of the source field of the API Key, which can be a URL parameter or an HTTP request header name. |
inquery | bool | At least one of in_query and in_header must be true. | true | When configured true, the gateway will try to parse the API Key from the URL parameters. |
in_header | bool | The same as above. | true | The same as above. |
_rules | array of object | Optional | - | Configure the access list of a specific route or domain name for authenticating requests. |
The configuration fields of each item in consumers
are described as follows:
Name | Data Type | Parameter requirements | Default | Description |
---|---|---|---|---|
credential | string | Required | - | Configure the consumer’s access credentials. |
name | string | Required | - | Configure the name of the consumer. |
The configuration fields of each item in _rules_
are described as follows:
Name | Data Type | Parameter requirements | Default | Description |
---|---|---|---|---|
match_route | array of string | Optional,Optionally fill in one of match_route , match_domain . | - | Configure the route name to match. |
match_domain | array of string | Optional,Optionally fill in one of match_route , match_domain . | - | Configure the domain name to match. |
allow | array of string | Required | - | For requests that meet the matching conditions, configure the name of the consumer that is allowed to access. |
Warning:
- If the
_rules_
field is not configured, authentication will be enabled for all routes of the current gateway instance by default; - For a request that passes authentication, an
X-Mse-Consumer
field will be added to the request header to identify the name of the caller.
Example configuration
Enabled for specific routes or domains
The following configuration will enable Key Auth authentication and authentication for gateway-specific routes or domain names. Note that the credential
field can not be repeated.
The route-a
and route-b
specified in _match_route_
in this example are the route names filled in when creating the gateway route. When these two routes are matched, calls whose name
is consumer1
will be allowed Access by callers, other callers are not allowed to access;
*.example.com
and test.com
specified in _match_domain_
in this example are used to match the domain name of the request. When the domain name matches, the caller whose name
is consumer2
will be allowed to access, and other calls access is not allowed.
Depending on this configuration, the following requests would allow access:
Assume that the following request will match the route-a route:
Set the API Key in the url parameter
Set the API Key in the http request header
After the authentication is passed, an X-Mse-Consumer
field will be added to the header of the request. In this example, its value is consumer1
, which is used to identify the name of the caller.
The following requests will deny access:
The request does not provide an API Key, return 401
The API Key provided by the request is not authorized to access, return 401
The caller matched according to the API Key provided in the request has no access rights, return 403
Gateway instance level enabled
The following configuration does not specify the _rules_
field, so Key Auth authentication will be enabled at the gateway instance level.
Error code
HTTP status code | Error information | Reason |
---|---|---|
401 | No API key found in request. | API not provided by request Key. |
401 | Request denied by Key Auth check. Invalid API key. | Current API Key access is not allowed. |
403 | Request denied by Basic Auth check. Unauthorized consumer. | The requested caller does not have access. |