API Management - Setting Up Key-Based Authentication

We’ve  discussed API Management and setting up the Service and API Endpoints. As long time champions of all the ways you could be using an API Gateway, we’re going to walk through how take the next step with API Management and set up your Authentication.

To recap, features in an API Gateway are often categorized in three broad categories:

  •         Authentication: Who is allowed to access (Access Control)
  •         Authorization: Who is allowed to perform operations of exposed APIs (Permissions / Privileges)
  •         Audit: Analyzing sufficient information for each client request 

Here’s a quick diagram of what that looks like:

API Management in the Enterprise

How does all of this work together?  We’ve broken out a step-by-step guide on how to get started with setting up key-based authentication  with Express Serverless Platform including best practices on API Management along the way.

How To Set Up Key-Based Authentication 

To enable key-based authentication, we recommend adding two policies in our pipeline in this order:

  • key-auth, and
  • proxy

Check it out:

Setting Up Authentication

 

Setting Up Authentication

 

 

Now we will connect our Service Endpoint to the pipeline just created. The first time we do so, an API Endpoint will be automatically created in the ‘Public’ quadrant and connected to the Gateway. This creates an end-to-end request path from the API Endpoint to the back-end service.

 

Setting Up Authentication

 

The API Endpoint will expect a path to be specified. Here we have specified the path ‘/now’.

So, when a request comes into the Express Serverless Platform for the URL: /now, it is routed to the URL: /now. So effectively, the response will come from the backend service.

Testing: Now the API end-point should be accessible to an authenticated user.

First let us simply access it without supplying credentials for key-based authentication.

 

Setting Up Authentication

 

We get a message ‘Unauthorized’, which is expected.

Now we access the API as user ‘bob’. We will receive a response indicating current UTC time, from the back-end service. To send the key-based authentication credentials, the request should be as follows:

curl -H “Authorization: apiKey ${keyId}:${keySecret}”

 

Setting Up Authentication

User ‘alice’ would also be able to access the API as shown below.

 

Setting Up Authentication

 

Pro Tip: API keys should only be sent over HTTPS, so that it is not intercepted on the wire. Note that Express Serverless Platform by default creates API Endpoints that are secured using HTTPS protocol.

 

If you’re interested in more of these topics, join the live discussion on twitter @lunchbadger or @express_gateway.

   

Share Tweet Link