Getting Started With Application Authentication Via Kong API Gateway

29 / Jul / 2016 by Tarun Saxena 0 comments

 

kong2

Kong is an open-source, customizable, Nginx-based and scalable API middleware (API Gateway).Kong can be configured in front of any RESTful API and let the developers concentrate more on implementing business logic without caring about functionalities like authentication mechanism, rate limiting, logging,  internal communications between APIs, carrying out communication with public entities and other organizations. It’s like a security layer  which sits in front of your application and enhances it’s performance.Kong provides full control over architecture and it’s currently used by many organizations including small and large ones.We can add many functionalities to Kong via plugins and it is easily customizable.

Once you integrate Kong within your architecture, you will have full control over Kong’s data.It’s built on Nginx and uses the robust database like Apache Cassandra and PostgreSQL.It also provides Admin interface to manage your APIs.You can make Kong scale as per your requirements in which stateless Kong servers talks to the single Cassandra or PostgreSQL database and act in the same manner.The client applications talks to Kong and then Kong acts as a reverse proxy and routes the requests to the applications on the basis of managed plugins in Kong.

kong1

Below is an illustration of integrating a RESTful API with Kong:
Requirements:
OS: ubuntu 14.04
kong version: 0.8.3
Single Node Cassandra Database version: 2.2.7

Note: Kong, by default, listens to API Requests on port 8000 and it’s RESTful admin interface runs on port 8001.

Step 1: Adding an API to Kong:

curl -i -X POST \
  --url http://localhost:8001/apis/ \
  --data 'name=app' \
  --data 'upstream_url=http://xxxxxxxxxx.com/' \
  --data 'request_host=xxxxxxxxxx.com'

HTTP/1.1 201 Created
Date: Thu, 28 Jul 2016 03:33:39 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.8.3

{“upstream_url”:”http:\/\/xxxxxxxxxx.com\/”,”strip_request_path”:false,”id”:”f4cf8a4e-88fd-49f1-85d2-1dbaae256547″,”created_at”:1469676819000,”preserve_host”:false,”name”:”app”,”request_host”:”xxxxxxxxxx.com”}

Step 2: Accessing API via Kong:

curl -i -X GET   --url http://localhost:8000/heartbeat   --header 'Host: xxxxxxxxxx.com' 

HTTP/1.1 200 OK
Date: Thu, 28 Jul 2016 03:36:21 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx/1.4.6 (Ubuntu)
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, PUT, GET, OPTIONS, DELETE
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Content-Type, x-requested-with, Content-Country , Content-Region, X-Auth-Token, Region, content-country, content-region, x-auth-token, region
X-Kong-Upstream-Latency: 9
X-Kong-Proxy-Latency: 0
Via: kong/0.8.3

{“CommitMessage”:”hooks dependency removed”,”CommitId”:”c003fe573436d3cee33c5753fd8ca7b12e08f1b8″,”mysql_status”:200,”status”:200,”home_hazelcast_status”:200,”CommitAuthor”:”yyyy “,”Version”:”qa-12.3.4″,”CommitMerge”:””,”CommitDate”:”Fri Jul 15 14:43:04 2016 +0530″}

Step 3: Enabling authentication plugin in Kong:

curl -i -X POST \
  --url http://localhost:8001/apis/app/plugins/ \
  --data 'name=key-auth'

HTTP/1.1 201 Created
Date: Thu, 28 Jul 2016 03:37:58 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.8.3

{“api_id”:”f4cf8a4e-88fd-49f1-85d2-1dbaae256547″,”id”:”4e951c2e-3c24-4b23-95bb-13c96769ef6f”,”created_at”:1469677078000,”enabled”:true,”name”:”key-auth”,”config”:{“key_names”:[“apikey”],”hide_credentials”:false}}

Step 4: Accessing API via Kong after enabling key-auth plugin:

curl -i -X GET \
  --url http://localhost:8000/ \
  --header 'Host: xxxxxxxxxx.com'

HTTP/1.1 401 Unauthorized
Date: Thu, 28 Jul 2016 03:39:11 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
WWW-Authenticate: Key realm=”kong”
Server: kong/0.8.3

{“message”:”No API Key found in headers, body or querystring”}

As a result, Kong is blocking all requests without the authentication. Now, we have to add an authorized consumer to Kong to access the application.

Step 5: Creating an authorized Consumer to access the API via Kong:

curl -i -X POST \
  --url http://localhost:8001/consumers/ \
  --data "username=myuser"

HTTP/1.1 201 Created
Date: Thu, 28 Jul 2016 03:41:40 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.8.3

{“username”:”myuser”,”created_at”:1469677300000,”id”:”364ae246-2965-43f5-b424-68d6b1dfe681″}

Step 6: Creating an api-key for authorized Consumer:

curl -i -X POST \
  --url http://localhost:8001/consumers/myuser/key-auth/ \
  --data 'key=mykey'

HTTP/1.1 201 Created
Date: Thu, 28 Jul 2016 03:42:52 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.8.3

{“key”:”mykey”,”consumer_id”:”364ae246-2965-43f5-b424-68d6b1dfe681″,”created_at”:1469677372000,”id”:”5c682d7c-8a62-473b-92a4-1127eb3a2d09″}

Step 7: Validating the above set credentials for authorized Consumer:

curl -i -X GET \
  --url http://localhost:8000/heartbeat \
  --header "Host: xxxxxxxxxx.com" \
  --header "apikey: mykey"

HTTP/1.1 200 OK
Date: Thu, 28 Jul 2016 03:45:07 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx/1.4.6 (Ubuntu)
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, PUT, GET, OPTIONS, DELETE
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Content-Type, x-requested-with, Content-Country , Content-Region, X-Auth-Token, Region, content-country, content-region, x-auth-token, region
X-Kong-Upstream-Latency: 9
X-Kong-Proxy-Latency: 0
Via: kong/0.8.3

{“CommitMessage”:”hooks dependency removed”,”CommitId”:”c003fe573436d3cee33c5753fd8ca7b12e08f1b8″,”mysql_status”:200,”status”:200,”home_hazelcast_status”:200,”CommitAuthor”:”yyyy “,”Version”:”qa-12.3.4″,”CommitMerge”:””,”CommitDate”:”Fri Jul 15 14:43:04 2016 +0530″}

Step 8: Kong blocking requests for unauthorized Consumer:

curl -i -X GET   --url http://localhost:8000/heartbeat   --header "Host: xxxxxxxxxx.com" --header "apikey: mykeynew"

HTTP/1.1 403 Forbidden
Date: Thu, 28 Jul 2016 03:51:14 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.8.3

{“message”:”Invalid authentication credentials”}

In this  way, we can do the API authentication via Kong keeping the backend application lightweight and focusing only on the product and Kong handling all the other services around the application.

In my next blog, I’ll be demonstrating some advanced use-cases with Kong API Gateway.

FOUND THIS USEFUL? SHARE IT

Leave a comment -