在 API 网关中,身份认证 是保障接口安全的重要手段之一。Kong 作为主流 API 网关之一,提供了多种认证方式,其中 API Key Authentication 适用于 轻量级认证 场景。本文将详细介绍如何在 Kong 中启用 API Key 认证 并进行测试。
目录
- 1.1.1、环境准备
- 1.1.1.1、创建一个服务,key-auth-demo
- 1.1.1.2、创建对应的路由,key-auth-demo
- 1.1.1.3、测试环境
- 1.1.2、插件安装
- 1.1.2.1、在服务范围内安装
- 1.1.2.2、 在route范围内安装
- 1.1.2.3、 全局范围内安装
- 1.1.2、测试
- 1.1.3、环境清理
- 1.1.3.1、清除服务范围内的插件
- 1.1.3.2、清除route范围内的插件
- 1.1.3.2、清除全局范围内的插件
- 1.1.4、总结
1.1.1、环境准备
1.1.1.1、创建一个服务,key-auth-demo
curl -i -s -X POST http://localhost:8001/services \--data name=key-auth-demo \--data url='http://localhost:8080'
http://localhost:8080 端口是运行一个Go的服务,请求/hello将返回对应的数据。
将会返回数据:
Hello, kong,I'm runing at 8080!
1.1.1.2、创建对应的路由,key-auth-demo
curl -i -X POST http://localhost:8001/services/key-auth-demo/routes \--data 'paths[]=/key-auth-demo' \--data name=key-auth-demo
1.1.1.3、测试环境
[root@iZbp1ivu3yaedumdy0va2vZ kong]# curl http://localhost:8000/key-auth-demo/hello
Hello, kong,I'm runing at 8080!
看到如下输出,证明已经环境已经搭建OK。
1.1.2、插件安装
插件的相关文档为
https://docs.konghq.com/hub/kong-inc/key-auth/configuration/
1.1.2.1、在服务范围内安装
curl -X POST http://localhost:8001/services/{serviceName|Id}/plugins \--header "accept: application/json" \--header "Content-Type: application/json" \--data '{"name": "key-auth","config": {"key_names": ["apikey"]}
}示例:
curl -X POST http://localhost:8001/services/key-auth-demo/plugins \--header "accept: application/json" \--header "Content-Type: application/json" \--data '{"name": "key-auth","config": {"key_names": ["apikey"]}
}'{serviceName|Id} : 这里用要对哪个服务开启
name: 代表已启动的插件名
config: 插件对应的配置信息
返回的结果如下:
{"consumer": null,"config": {"hide_credentials": false,"key_in_header": true,"key_in_query": true,"key_in_body": false,"run_on_preflight": true,"key_names": ["apikey"],"realm": null,"anonymous": null},"name": "key-auth","instance_name": null,"protocols": ["grpc","grpcs","http","https"],"created_at": 1739512641,"updated_at": 1739512641,"enabled": true,"service": {"id": "ae557210-8f1f-415b-8549-3c973e495881"},"id": "8b8d48db-3a15-4a94-ba81-93a1f350702d","route": null,"tags": null
}
1.1.2.2、 在route范围内安装
curl -X POST http://localhost:8001/routes/{route_id_or_name}/plugins \--header "accept: application/json" \--header "Content-Type: application/json" \--data '{"name": "key-auth","config": {"key_names": ["apikey"]}
}'
实例
curl -X POST http://localhost:8001/routes/key-auth-demo/plugins \--header "accept: application/json" \--header "Content-Type: application/json" \--data '{"name": "key-auth","config": {"key_names": ["apikey"]}
}'1.1.2.3、 全局范围内安装
curl -X POST http://localhost:8001/plugins \--header "accept: application/json" \--header "Content-Type: application/json" \--data '{"name":"key-auth","enabled":true,"protocols":["grpc","grpcs","http","https"],"config":{"hide_credentials":false,"key_in_body":false,"key_in_header":true,"key_in_query":true,"key_names":["apikey"],"run_on_preflight":true}}'
1.1.2、测试
开启了kye-auth插件后,如果还是正常访问,将会返回401
[root@iZbp1ivu3yaedumdy0va2vZ ~]# curl -i http://localhost:8000/key-auth-demo/hello
HTTP/1.1 401 Unauthorized
Date: Fri, 14 Feb 2025 06:04:46 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
WWW-Authenticate: Key
Content-Length: 96
X-Kong-Response-Latency: 1
Server: kong/3.9.0
X-Kong-Request-Id: 3d24b81b896b1b3e6bcc626177e8ea3b{"message":"No API key found in request","request_id":"3d24b81b896b1b3e6bcc626177e8ea3b"
}
那么应该如何访问呢?
-
创建一个用户
curl -X POST http://localhost:8001/consumers -d username=key-auth-user -
给这个用户分配一个apiKey
curl -X POST http://localhost:8001/consumers/key-auth-user/key-auth \-d key=api_key_78954455
在请求头中携带apikey,或者在请求参数中携带apikey,如下所示:
[root@iZbp1ivu3yaedumdy0va2vZ ~]# curl -i -H "apikey:api_key_78954455" http://localhost:8000/key-auth-demo/hello
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 31
Connection: keep-alive
Date: Fri, 14 Feb 2025 06:10:22 GMT
Server: kong/3.9.0
X-Kong-Upstream-Latency: 0
X-Kong-Proxy-Latency: 3
Via: 1.1 kong/3.9.0
X-Kong-Request-Id: e9e4eb0de1646867fcb3b810ef8d9570Hello, kong,I'm runing at 8080!curl -i http://localhost:8000/key-auth-demo/hello?apikey=api_key_78954455
[root@iZbp1ivu3yaedumdy0va2vZ ~]# curl -i http://localhost:8000/key-auth-demo/hello?apikey=api_key_78954455
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 31
Connection: keep-alive
Date: Fri, 14 Feb 2025 06:13:40 GMT
Server: kong/3.9.0
X-Kong-Upstream-Latency: 1
X-Kong-Proxy-Latency: 1
Via: 1.1 kong/3.9.0
X-Kong-Request-Id: cbfd604c2e274833e2baa77dfe322938Hello, kong,I'm runing at 8080!
1.1.3、环境清理
1.1.3.1、清除服务范围内的插件
- 获取服务范围内的插件
curl -X GET http://localhost:8001/services/key-auth-demo/plugins{"data": [{// ..."id": "8b8d48db-3a15-4a94-ba81-93a1f350702d",// ...}],"next": null
}
这里我我记录想要删除id是啥,到下一步请求的时候需要使用。
-
删除指定的插件
curl -X DELETE http://localhost:8001/services/key-auth-demo/plugins/8b8d48db-3a15-4a94-ba81-93a1f350702d身份认证插件清除后,不适用apiKey也能进行访问了。
1.1.3.2、清除route范围内的插件
-
获取route范围内的插件
curl -X GET http://localhost:8001/routes/key-auth-demo/plugins{"data": [{// ..."id": "22245c50-f2d1-42c8-b4aa-090414e763d3",// ...}],"next": null } -
删除指定的插件
curl -X DELETE http://localhost:8001/routes/key-auth-demo/plugins/22245c50-f2d1-42c8-b4aa-090414e763d3
1.1.3.2、清除全局范围内的插件
- 获取全局范围内的插件
curl -X GET http://localhost:8001/plugins
返回结果,省略部分数据
{"data": [{"id": "5ebe8f78-41b0-4ae6-a21c-4e69f97d419c",}],"next": null
}
- 删除指定的插件
curl -X DELETE http://localhost:8001/plugins/5ebe8f78-41b0-4ae6-a21c-4e69f97d419c1.1.4、总结
基于 API Key Authentication 的插件非常适合需要快速、轻量认证的场景,尤其在以下情况下表现尤为出色:
- 提供开放 API 给开发者或第三方系统。
- 简单的客户端认证,尤其在移动应用和 Web 应用中。
- 管理和限制不同用户、客户端或服务的访问权限。
- 配合流量控制插件(如 Rate Limiting)使用,避免过度请求。
虽然 API 密钥认证简单易用,但它的安全性相对较低,尤其是在传输过程中密钥可能会被泄露。
因此,常常配合 HTTPS 使用,以保证通信的安全。