What is API gateway authentication?
An API gateway is a software layer that sits between your backend services and your API clients. It acts as a reverse proxy, routing requests from clients to your backend services and returning the responses back to the client.
One common use case for an API gateway is to provide an additional layer of security for your backend services. This can be achieved through various forms of authentication, including user-password credentials, key-based authentication, LDAP, and authentication protocols like OAuth or OIDC.
Read more about API gateways in a cloud native world
Why is API gateway authentication important?
APIs provide a mechanism for clients to request and receive data from endpoints. They can be used by human users or hardware devices. API gateway authentication is important because it helps to ensure that only authorized clients are able to access the microservices behind the API gateway. This can help to protect sensitive data and resources from unauthorized access and to ensure that client requests are properly authorized to access the resources they are requesting.
Authentication is important for both internal and external APIs. Internal APIs can use authentication to implement fine-grained access control over the microservices, allowing for more secure and controlled access to resources.
For external APIs, authentication is critical because it helps to ensure that only authorized external clients, such as web and mobile apps, are able to access the resources they need. This helps to protect the API and its underlying resources from unauthorized access, data breaches, and denial of service attacks, which can be initiated by unauthorized clients. External APIs can use authentication to implement access controls, track usage and monitor how resources are being consumed, which can aid in compliance and security incident investigations.
5 API gateway authentication strategies
Basic API authentication
Basic authentication is a simple authentication scheme built into the HTTP protocol. With basic authentication, a client sends an HTTP request with a username and password encoded in base64. Typically, the API gateway validates the username and password against a predefined list of users and passwords.
Key-based authentication
With API key authentication, a client includes a unique key in the request header or as a query parameter, and the API gateway checks that the key is valid. API keys can be generated and managed by the API provider or by an external system like a token management service. This approach is useful for HTTP APIs.
LDAP authentication
LDAP (Lightweight Directory Access Protocol) is a widely used protocol for storing and querying authentication information. With LDAP authentication, the API gateway can validate client credentials by checking them against an LDAP server, which acts as a central repository for user information. This can be useful in situations where you want to authenticate clients against an existing corporate user directory.
OAuth authentication
OAuth 2.0 is a widely used standard for delegating access to resources. With OAuth 2.0, a client obtains an access token from an authorization server, and then includes that token in each subsequent request to the API gateway. The API gateway can then validate the token and determine the client’s level of access. This can be useful in situations where you want to give third-party apps or services limited access to your API. However, it only works with HTTPS requests.
OIDC authentication
OpenID Connect (OIDC) is a widely used standard built on top of OAuth 2.0. It provides a way to authenticate clients and obtain user information in a single request. With OpenID Connect, a client obtains an ID token from an authorization server, in addition to an access token, which can be used to authenticate the client and access user information. OpenID Connect can be useful in situations where you want to obtain user information in addition to authenticating clients.
Enhanced API Gateway authentication with Solo Gloo Gateway
Solo Gloo Gateway provides a robust set of authentication technologies:
- OpenID Connect (OIDC)
- Custom Auth to use your own auth service and custom auth logic
- Basic Auth
- Mutual TLS
- JSON Web Tokens (JWT)
Architecturally, Gloo Gateway uses an auth server to verify the user and their access. It provides an auth server that can support OpenID Connect and basic use cases but also allows you to use your own auth server to implement custom logic.
More details about authentication within Gloo Gateway can be found here and here.