What is API gateway authentication?
An API gateway is a software layer that sits between your backend services and your API clients. It acts as a reverse proxy, routing requests from clients to your backend services and returning the responses back to the client.
One common use case for an API gateway is to provide an additional layer of security for your backend services. This can be achieved through various forms of authentication, including user-password credentials, key-based authentication, LDAP, and authentication protocols like OAuth or OIDC.
Why is API gateway authentication important?
APIs provide a mechanism for clients to request and receive data from endpoints. They can be used by human users or hardware devices. API gateway authentication is important because it helps to ensure that only authorized clients are able to access the microservices behind the API gateway. This can help to protect sensitive data and resources from unauthorized access and to ensure that client requests are properly authorized to access the resources they are requesting.
Authentication is important for both internal and external APIs. Internal APIs can use authentication to implement fine-grained access control over the microservices, allowing for more secure and controlled access to resources.
For external APIs, authentication is critical because it helps to ensure that only authorized external clients, such as web and mobile apps, are able to access the resources they need. This helps to protect the API and its underlying resources from unauthorized access, data breaches, and denial of service attacks, which can be initiated by unauthorized clients. External APIs can use authentication to implement access controls, track usage and monitor how resources are being consumed, which can aid in compliance and security incident investigations.
5 API gateway authentication strategies
Basic API authentication
Basic authentication is a simple authentication scheme built into the HTTP protocol. With basic authentication, a client sends an HTTP request with a username and password encoded in base64. Typically, the API gateway validates the username and password against a predefined list of users and passwords.
With API key authentication, a client includes a unique key in the request header or as a query parameter, and the API gateway checks that the key is valid. API keys can be generated and managed by the API provider or by an external system like a token management service. This approach is useful for HTTP APIs.
LDAP (Lightweight Directory Access Protocol) is a widely used protocol for storing and querying authentication information. With LDAP authentication, the API gateway can validate client credentials by checking them against an LDAP server, which acts as a central repository for user information. This can be useful in situations where you want to authenticate clients against an existing corporate user directory.
OAuth 2.0 is a widely used standard for delegating access to resources. With OAuth 2.0, a client obtains an access token from an authorization server, and then includes that token in each subsequent request to the API gateway. The API gateway can then validate the token and determine the client’s level of access. This can be useful in situations where you want to give third-party apps or services limited access to your API. However, it only works with HTTPS requests.
OpenID Connect (OIDC) is a widely used standard built on top of OAuth 2.0. It provides a way to authenticate clients and obtain user information in a single request. With OpenID Connect, a client obtains an ID token from an authorization server, in addition to an access token, which can be used to authenticate the client and access user information. OpenID Connect can be useful in situations where you want to obtain user information in addition to authenticating clients.
Examples of API gateway authentication
How authentication works in AWS API Gateway
Amazon Web Services (AWS) API Gateway is a fully managed service that makes it easy to create, publish, maintain, monitor, and secure APIs at any scale. With API Gateway, you can create RESTful, HTTP, and WebSocket APIs, as well as define custom domain names and create custom authorizers for your APIs.
In AWS API Gateway, authentication and authorization can be done at different levels of your API:
- Resource policies: These specify which clients are authorized to access an API Gateway resource. They can be associated with specific resource methods or with the entire resource. A resource policy is a JSON document that defines a set of conditions that must be met for a request to be authorized.
- AWS IAM roles and policies: These are used to control access to AWS resources and services. In the context of API Gateway, an IAM role can be associated with an API Gateway resource, and a policy can be used to define the actions that are allowed or denied for that role. This can be useful when you want to authenticate clients against an existing set of IAM users and roles.
- Endpoint policies: These control access to the backend services that an API Gateway resource calls. They are associated with the backend service’s endpoint, and can be used to specify conditions that must be met for a request to be authorized.
- Lambda authorizers: These are AWS Lambda functions that are used to control access to an API Gateway resource. They are invoked by API Gateway to authenticate and authorize incoming requests.
- Amazon Cognito user pools: These provide user directory services for mobile and web applications. They can be used to authenticate and authorize clients for API Gateway, by validating the user credentials against the user directory and returning an access token. User pool also supports multi-factor authentication, which can be useful to increase the security of your API.
How authentication works in Azure API Management (APIM)
Azure API Management (APIM) is a fully managed service offered by Microsoft on the Azure platform. APIM allows organizations to create, publish, secure, and monitor APIs. It is designed to help organizations publish their APIs to external, internal, and partner developers securely and at scale.
APIM provides a set of functionalities that enable organizations to create, secure, and manage their APIs, including with authentication. For example, it provides a developer portal that allows developers to discover, learn about, and consume the organization’s APIs. The portal includes documentation, code samples, and interactive testing tools.
Azure API Management can be integrated with Azure Active Directory (Azure AD) for more advanced authentication and authorization scenarios. Azure Active Directory is a multi-tenant cloud-based directory and identity management service.
When you integrate Azure AD with APIM, you can use Active Directory as the identity provider for your APIs, which means that clients can authenticate themselves using their Azure AD credentials. This can be useful in situations where you want to authenticate clients against an existing corporate user directory or want to add multi-factor authentication capabilities to your APIs.
Enhanced API Gateway authentication with Solo Gloo Gateway
Solo Gloo Gateway provides a robust set of authentication technologies:
- OpenID Connect (OIDC)
- Custom Auth to use your own auth service and custom auth logic
- Basic Auth
- Mutual TLS
- JSON Web Tokens (JWT)
Architecturally, Gloo uses an auth server to verify the user and their access. Gloo provides an auth server that can support OpenID Connect and basic use cases but also allows you to use your own auth server to implement custom logic.