Basic Auth

Overview Examples Configuration reference Changelog API reference

How it works

The Basic Authentication plugin requires at least one Consumer to work. When you create the Consumer, you must specify a username and password, for example: Ariel:Password. The Consumer’s password must be base64-encoded when it’s used in the Authentication header. For example, Ariel:Password would become QXJpZWw6UGFzc3dvcmQ=.

Then, you can enable the plugin on a Gateway Service, Route, or globally. When a Consumer makes a request to the associated Gateway Service or Route, the plugin checks for valid credentials in the Proxy-Authorization and Authorization headers (in that order). In Kong Gateway 3.13 or later, you can protect against brute force attacks by enabling config.brute_force_protection. This will return an 429 Too Many Requests error after the fourth failed login attempt.

Using multiple authentication plugins

You can use the Basic Authentication plugin along with other authentication plugins. This allows clients to use different authentication methods to access a given Gateway Service or Route.

The authentication plugins can be configured to always require authentication or only perform authentication if the Consumer wasn’t already authenticated. For more information, see Using multiple authentication methods.

Use cases

Common use cases for the Basic Authentication plugin:

Use case	Description
Allow or deny requests on a Gateway Service or Route	Configure both the ACL and Basic Authentication plugins to restrict access to a Service or a Route by adding Consumers to allowed or denied lists using arbitrary ACL groups.
Authenticate on the upstream service	Configure the Basic Authentication plugin on a Route and then configure the Consumer credential in the `config.add.headers` property for the Request Transformer plugin.
Allow clients to choose their authentication method	Enable the Basic Authentication plugin and any other authentication plugins. Use the `config.anonymous` property on the plugins to determine if authentication is always performed or only when the Consumer wasn’t already authenticated.
Check credentials per session	When the Session plugin is enabled in conjunction with an authentication plugin, it runs before credential verification. If no session is found, then the authentication plugin runs again and credentials are checked normally. If the credential verification is successful, then the Session plugin creates a new session for usage with subsequent requests.
Rate limit unauthenticated and authenticated users differently	You can configure a given Service to allow both authenticated and anonymous access. You might use this configuration to grant access to anonymous users with a low rate limit and grant access to authenticated users with a higher rate limit using the Rate Limiting plugin.
Use basic authentication for Kong Manager	If you want users to authenticate before logging in to Kong Manager, you can configure basic authentication for the GUI.
Protect against brute force attacks v3.13+	Protect against brute force attacks by enabling `config.brute_force_protection`. This will return an `429 Too Many Requests` error after the fourth failed login attempt.

Brute force protection v3.13+

The Basic Auth plugin can be susceptible to brute force and dictionary attacks because rate limiting occurs after authentication plugins, leaving a vulnerability to failed login attempts. You can configure config.brute_force_protection on the plugin to prevent this.

This feature protects against brute force attacks by doing the following:

When brute force protection is enabled, the plugin tracks failed login attempts by username.
For each failed login attempt using a username and password, a counter is incremented with the username as the key in the shared store. The plugin starts returning a 429 Too Many Requests response on the 3rd failed login attempt. The 429 response includes a Retry-After header, which indicates the remaining Time-To-Live (TTL) of the counter for that username.
Each additional failed attempt doubles the previous wait time. The wait time is calculated as 2^(number of failed attempts) seconds, with a maximum configurable wait time of 1 hour. There is no cache to clear.

Keep the following limitations in mind when you configure brute force protection:

Counters are only reset when their TTL is reached. A successful login attempt does not reset the failed attempt counter. The user will still be blocked until the TTL expires.
There is no way to unlock a user. You can manually delete the counter key from Redis or PostgreSQL.
If the Redis connection fails, the brute force protection will error out.
Each backend has different impacts on performance. In-memory has the best performance, PostgreSQL the poorest, and Redis is better than PostgreSQL.

Using cloud authentication with Redis v3.13+

Starting in Kong Gateway 3.13, you can authenticate with a cloud Redis provider for your Redis strategy. This allows you to seamlessly rotate credentials without relying on static passwords.

The following providers are supported:

AWS ElastiCache
Azure Managed Redis
Google Cloud Memorystore (with or without Valkey)

Each provider also supports an instance and cluster configuration.

Important: Kong Gateway open source plugins do not support any Redis cloud provider cluster configurations.

To configure cloud authentication with Redis, add the following parameters to your plugin configuration:

You need:

A running Redis instance on an AWS ElastiCache instance for Valkey 7.2 or later or ElastiCache for Redis OSS version 7.0 or later
The ElastiCache user needs to set “Authentication mode” to “IAM”

The following policy assigned to the IAM user/IAM role that is used to connect to the ElastiCache:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticache:Connect"
            ],
            "Resource": [
                "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE",
                "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE_USER"
            ]
        }
    ]
}

Copied!

config:
  storage: redis
  storage_config:
    redis:
      host: $INSTANCE_ADDRESS
      username: $INSTANCE_USERNAME
      port: 6379
      cloud_authentication:
        auth_provider: aws
        aws_cache_name: $AWS_CACHE_NAME
        aws_is_serverless: false
        aws_region: $AWS_REGION
        aws_access_key_id: $AWS_ACCESS_KEY_ID
        aws_secret_access_key: $AWS_ACCESS_SECRET_KEY

Copied!

Replace the following with your actual values:

$INSTANCE_ADDRESS: The ElastiCache instance address.
$INSTANCE_USERNAME: The ElastiCache username with IAM Auth mode configured.
$AWS_CACHE_NAME: Name of your AWS ElastiCache instance.
$AWS_REGION: Your AWS ElastiCache instance region.
$AWS_ACCESS_KEY_ID: (Optional) Your AWS access key ID.
$AWS_ACCESS_SECRET_KEY: (Optional) Your AWS secret access key.

You need:

A running Redis instance on an AWS ElastiCache cluster for Valkey 7.2 or later or ElastiCache for Redis OSS version 7.0 or later
The ElastiCache user needs to set “Authentication mode” to “IAM”

The following policy assigned to the IAM user/IAM role that is used to connect to the ElastiCache:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticache:Connect"
            ],
            "Resource": [
                "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE",
                "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE_USER"
            ]
        }
    ]
}

Copied!

config:
  storage: redis
  storage_config:
    redis:
      cluster_nodes:
      - ip: $CLUSTER_ADDRESS
        port: 6379
      username: $CLUSTER_USERNAME
      port: 6379
      cloud_authentication:
        auth_provider: aws
        aws_cache_name: $AWS_CACHE_NAME
        aws_is_serverless: false
        aws_region: $AWS_REGION 
        aws_access_key_id: $AWS_ACCESS_KEY_ID
        aws_secret_access_key: $AWS_ACCESS_SECRET_KEY

Copied!

Replace the following with your actual values:

$CLUSTER_ADDRESS: The ElastiCache cluster address.
$CLUSTER_USERNAME: The ElastiCache username with IAM Auth mode configured.
$AWS_CACHE_NAME: Name of your AWS ElastiCache cluster.
$AWS_REGION: Your AWS ElastiCache cluster region.
$AWS_ACCESS_KEY_ID: (Optional) Your AWS access key ID.
$AWS_ACCESS_SECRET_KEY: (Optional) Your AWS secret access key.

You need:

A running Redis instance on an Azure Managed Redis instance with Entra authentication configured
Add the user/service principal/identity to the “Microsoft Entra Authentication Redis user” list for the Azure Managed Redis instance

config:
  storage: redis
  storage_config:
    redis:
      host: $INSTANCE_ADDRESS
      username: $INSTANCE_USERNAME
      port: 6379
      cloud_authentication:
        auth_provider: azure
        azure_client_id: $AZURE_CLIENT_ID
        azure_client_secret: $AZURE_CLIENT_SECRET
        azure_tenant_id: $AZURE_TENANT_ID

Copied!

Replace the following with your actual values:

$INSTANCE_ADDRESS: The Azure Managed Redis instance address.
$INSTANCE_USERNAME: The object (principal) ID of the Principal/Identity with essential access.
$AZURE_CLIENT_ID: The client ID of the Principal/Identity.
$AZURE_CLIENT_SECRET: (Optional) The client secret of the Principal/Identity.
$AZURE_TENANT_ID: (Optional) The tenant ID of the Principal/Identity.

You need:

A running Redis instance on an Azure Managed Redis cluster with Entra authentication configured
Add the user/service principal/identity to the “Microsoft Entra Authentication Redis user” list for the Azure Managed Redis instance

config:
  storage: redis
  storage_config:
    redis:
      cluster_nodes:
      - ip: $CLUSTER_ADDRESS
        port: 6379
      username: $CLUSTER_USERNAME
      port: 6379
      cloud_authentication:
        auth_provider: azure
        azure_client_id: $AZURE_CLIENT_ID
        azure_client_secret: $AZURE_CLIENT_SECRET
        azure_tenant_id: $AZURE_TENANT_ID

Copied!

Replace the following with your actual values:

$CLUSTER_ADDRESS: The Azure Managed Redis cluster address.
$CLUSTER_USERNAME: The object (principal) ID of the Principal/Identity with essential access.
$AZURE_CLIENT_ID: The client ID of the Principal/Identity.
$AZURE_CLIENT_SECRET: (Optional) The client secret of the Principal/Identity.
$AZURE_TENANT_ID: (Optional) The tenant ID of the Principal/Identity.

You need:

A running Redis instance on an Google Cloud Memorystore instance
Assign the principal to the corresponding role:
- Cloud Memorystore Redis DB Connection User(roles/redis.dbConnectionUser) for Memorystore for Redis Cluster
- Memorystore DB Connector User (roles/memorystore.dbConnectionUser) for Memorystore for Valkey

config:
  storage: redis
  storage_config:
    redis:
      host: $INSTANCE_ADDRESS
      port: 6379
      cloud_authentication:
        auth_provider: gcp
        gcp_service_account_json: $GCP_SERVICE_ACCOUNT

Copied!

Replace the following with your actual values:

$INSTANCE_ADDRESS: The Memorystore instance address.
$GCP_SERVICE_ACCOUNT: (Optional) The GCP service account JSON.

You need:

A running Redis instance on an Google Cloud Memorystore cluster
Assign the principal to the corresponding role:
- Cloud Memorystore Redis DB Connection User(roles/redis.dbConnectionUser) for Memorystore for Redis Cluster
- Memorystore DB Connector User (roles/memorystore.dbConnectionUser) for Memorystore for Valkey

config:
  storage: redis
  storage_config:
    redis:
      cluster_nodes:
      - ip: $CLUSTER_ADDRESS
        port: 6379 
      port: 6379
      cloud_authentication:
        auth_provider: gcp
        gcp_service_account_json: $GCP_SERVICE_ACCOUNT

Copied!

Replace the following with your actual values:

$CLUSTER_ADDRESS: The Memorystore cluster address.
$GCP_SERVICE_ACCOUNT: The GCP service account JSON.

FAQs

I updated my Consumer’s username, why doesn’t their password or basic authentication work anymore?

The basic auth password credential is encrypted in the database. Kong Gateway can only get the encrypted value of the password from the database. When you update the username or tag, Kong Gateway overwrites the password with its encrypted value. To fix this, enter the original password when you update the username or tag of the basic auth credential.

How do I delete a Consumer credential?

You can delete a specific credential by sending a DELETE request to /{workspace_id_or_name}/consumers/{consumer_id_or_name}/basic-auth/{credentials_id}.

I’m migrating from Kong Gateway to Konnect and using deck gateway dump, will this also dump my basic auth credentials?

No. The basic auth credentials are stored in the database as hashed values. When you dump the configuration with decK, it will retrieve these hashed values, not the original plain-text passwords. Since there is currently no way to extract the initial plain-text values of the basic auth credentials due to how they are stored, you will need to manually set the passwords for basic auth after dumping the configuration or by directly setting up the password in Konnect.

Why should I use the Basic Authentication plugin instead of other authentication plugins, like Key Authentication?

You should use basic authentication when you need a simple way to authenticate and security isn’t a concern. For example, you could use this plugin to connect internal server networks or as a verification on open data. Use Key Authentication or another authentication plugin if you require additional security.

Basic Auth

How it works

Using multiple authentication plugins

Use cases

Brute force protection v3.13+

Using cloud authentication with Redis v3.13+

FAQs

Help us make these docs great!

Still need help