Change Upstream Authentication i.e. have different authentication for consumers and upstreams

[e-sharifi]

Hi everyone
is it possible to change upstream authentication in apisix? i.e. have different authentication method for consumers and upstream service. e.g. my upstream api authentication is apikey but i want to authentication my api users using oauth2 and after successful authentication, forward their request to upstream using an apikey which api user does not know and passed it but i know it.
thanks in advance for your answers.

[dosubot[bot]]

Hello @e-sharifi! I'm here to assist you with any bugs, questions, or contributions. Let's solve this together!

Yes, it is possible to have different authentication methods for consumers and upstream services in APISIX. You can use the multi-auth plugin to support multiple authentication methods on routes and services. This allows you to authenticate API users using OAuth2 and then forward their requests to the upstream service using an API key.

To achieve this, you can configure the multi-auth plugin to handle OAuth2 authentication for your API users. After successful authentication, you can use the forward-auth plugin to inject or modify headers, such as an API key, in the request to the upstream service. This way, the API key is added to the request without the API user knowing it.

Here's a brief overview of how you can set this up:

1. Configure the multi-auth plugin: Set up the plugin to authenticate API users using OAuth2.

2. Use the forward-auth plugin: Configure this plugin to add the API key to the request headers before forwarding it to the upstream service. You can specify upstream_headers in the plugin configuration to include the API key in the request to the upstream.

This setup allows you to maintain different authentication methods for consumers and upstream services, ensuring secure and flexible authentication management.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[dosubot[bot]]

To set up different authentication methods in APISIX, you can use the multi-auth and forward-auth plugins. Here's a detailed guide with sample configurations:

1. Create Consumers with Different Authentication Methods:

   • OAuth2 Authentication (Example):
     You would typically configure OAuth2 using a third-party service or custom logic. APISIX can handle OAuth2 tokens by verifying them in a custom plugin or using an external service.

   • Key Authentication for Upstream:

     admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"//g')
     curl http://127.0.0.1:9180/apisix/admin/consumers -H "X-API-KEY: $admin_key" -X PUT -d '  
     {  
         "username": "upstream-service",  
         "plugins": {  
             "key-auth": {  
                 "key": "upstream-api-key"  
             }  
         }  
     }'  

2. Configure a Route with the multi-auth Plugin:

   curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '  
   {  
       "methods": ["GET"],  
       "uri": "/api",  
       "plugins": {  
           "multi-auth":{  
            "auth_plugins":[  
               {  
                  "oauth2":{ }  // Example placeholder for OAuth2 configuration
               }  
            ]  
         }  
       },  
       "upstream": {  
           "type": "roundrobin",  
           "nodes": {  
               "127.0.0.1:1980": 1  
           }  
       }  
   }'  

3. Use the forward-auth Plugin to Add API Key to Upstream Requests:

   {
       "plugins": {
           "forward-auth": {
               "uri": "http://127.0.0.1:9080/auth",
               "upstream_headers": ["apikey"]
           }
       },
       "uri": "/api"
   }

   In this configuration, the forward-auth plugin can be used to add the API key to the request headers before forwarding it to the upstream service. You can specify upstream_headers to include the API key in the request to the upstream.

This setup allows you to authenticate API users using OAuth2 and then forward their requests to the upstream service using an API key, which is added to the request without the API user knowing it.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[e-sharifi]

@dosu
in above answer, in step 3, where we should add the forward-auth plugin?

[dosubot[bot]]

In step 3, the forward-auth plugin should be added to the route configuration where you want to modify the request headers before forwarding to the upstream service. You can include it in the same route configuration as the multi-auth plugin. Here's how you can integrate it:

curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '  
{  
    "methods": ["GET"],  
    "uri": "/api",  
    "plugins": {  
        "multi-auth": {  
            "auth_plugins": [  
                {  
                    "oauth2": { }  // Example placeholder for OAuth2 configuration
                }  
            ]  
        },
        "forward-auth": {
            "uri": "http://127.0.0.1:9080/auth",
            "upstream_headers": {
                "apikey": "upstream-api-key"
            }
        }
    },  
    "upstream": {  
        "type": "roundrobin",  
        "nodes": {  
            "127.0.0.1:1980": 1  
        }  
    }  
}'  

This configuration ensures that after the OAuth2 authentication, the forward-auth plugin adds the API key to the request headers before sending it to the upstream service.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[e-sharifi]

@dosu
how to enable multi-auth plugin in apisix dashboard?

[dosubot[bot]]

To enable the multi-auth plugin in the APISIX dashboard, follow these steps:

1. Create Consumer Objects with Different Authentication Configurations:

   • Create a Consumer using basic authentication:

     admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"//g')
     curl http://127.0.0.1:9180/apisix/admin/consumers -H "X-API-KEY: $admin_key" -X PUT -d '  
     {  
         "username": "foo1",  
         "plugins": {  
             "basic-auth": {  
                 "username": "foo1",  
                 "password": "bar1"  
             }  
         }  
     }'  

   • Create a Consumer using key authentication:

     curl http://127.0.0.1:9180/apisix/admin/consumers -H "X-API-KEY: $admin_key" -X PUT -d '  
     {  
         "username": "foo2",  
         "plugins": {  
             "key-auth": {  
                 "key": "auth-one"  
             }  
         }  
     }'  

2. Configure a Route to Use the Multi-Auth Plugin:

   • Set up a Route to authenticate requests using the multi-auth plugin:

     curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '  
     {  
         "methods": ["GET"],  
         "uri": "/hello",  
         "plugins": {  
             "multi-auth":{  
              "auth_plugins":[  
                 {  
                    "basic-auth":{ }  
                 },  
                 {  
                    "key-auth":{  
                       "query":"apikey",  
                       "hide_credentials":true,  
                       "header":"apikey"  
                    }  
                 }  
              ]  
           }  
         },  
         "upstream": {  
             "type": "roundrobin",  
             "nodes": {  
                 "127.0.0.1:1980": 1  
             }  
         }  
     }'  

3. Test the Configuration:

   • Test basic authentication:

     curl -i -ufoo1:bar1 http://127.0.0.1:9080/hello

   • Test key authentication:

     curl http://127.0.0.1:9080/hello -H 'apikey: auth-one' -i

These steps will enable the multi-auth plugin on the specified route, allowing multiple authentication methods to be used ^[1].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}