API gateway authentication

5 strategies and real life examples

What is API gateway authentication?

An API gateway is a software layer that sits between your backend services and your
API clients. It acts as a reverse proxy, routing requests from clients to your
backend services and returning the responses back to the client.

One common use case for an API gateway is to provide an additional layer of
security for your backend services. This can be achieved through various forms of
authentication, including user-password credentials, key-based authentication,
LDAP, and authentication protocols like OAuth or OIDC.

Read more about API gateways in a cloud native world

Why is API gateway authentication important?

APIs provide a mechanism for clients to request and receive data from endpoints.
They can be used by human users or hardware devices. API gateway authentication is
important because it helps to ensure that only authorized clients are able to
access the microservices behind the API gateway. This can help to protect sensitive
data and resources from unauthorized access and to ensure that client requests are
properly authorized to access the resources they are requesting.

Authentication is important for both internal and external APIs. Internal APIs can
use authentication to implement fine-grained access control over the microservices,
allowing for more secure and controlled access to resources.

For external APIs, authentication is critical because it helps to ensure that only
authorized external clients, such as web and mobile apps, are able to access the
resources they need. This helps to protect the API and its underlying resources
from unauthorized access, data breaches, and denial of service attacks, which can
be initiated by unauthorized clients. External APIs can use authentication to
implement access controls, track usage and monitor how resources are being
consumed, which can aid in compliance and security incident investigations.

5 API gateway authentication strategies

Basic API authentication
Basic authentication is a simple authentication scheme built into the HTTP
protocol. With basic authentication, a client sends an HTTP request with a username
and password encoded in base64. Typically, the API gateway validates the username
and password against a predefined list of users and passwords.

Key-based authentication
With API key authentication, a client includes a unique key in the request header
or as a query parameter, and the API gateway checks that the key is valid. API keys
can be generated and managed by the API provider or by an external system like a
token management service. This approach is useful for HTTP APIs.

LDAP authentication
LDAP (Lightweight Directory Access Protocol) is a widely used protocol for storing
and querying authentication information. With LDAP authentication, the API gateway
can validate client credentials by checking them against an LDAP server, which acts
as a central repository for user information. This can be useful in situations
where you want to authenticate clients against an existing corporate user
directory.

OAuth authentication
OAuth 2.0 is a widely used standard for delegating access to resources. With OAuth
2.0, a client obtains an access token from an authorization server, and then
includes that token in each subsequent request to the API gateway. The API gateway
can then validate the token and determine the client’s level of access. This can be
useful in situations where you want to give third-party apps or services limited
access to your API. However, it only works with HTTPS requests.

OIDC authentication
OpenID Connect (OIDC) is a widely used standard built on top of OAuth 2.0. It
provides a way to authenticate clients and obtain user information in a single
request. With OpenID Connect, a client obtains an ID token from an authorization
server, in addition to an access token, which can be used to authenticate the
client and access user information. OpenID Connect can be useful in situations
where you want to obtain user information in addition to authenticating clients.

Enhanced API Gateway authentication with Solo Gloo Gateway

Solo Gloo Gateway provides a robust set of authentication technologies:

OpenID Connect (OIDC)

Custom Auth to use your own auth service and custom auth logic
Basic Auth
Mutual TLS
JSON Web Tokens (JWT)
Architecturally, Gloo Gateway uses an auth server to verify the user and their
access. It provides an auth server that can support OpenID Connect and basic use
cases but also allows you to use your own auth server to implement custom logic.

More details about authentication within Gloo Gateway can be found here and here.