Yes, it is feasible to perform authentication in KrakenD by invoking an API. However, there are some considerations to keep in mind:
- Performance Concerns: Each authenticated request to your services will result in two calls—one to the authentication API service and one to the actual protected service. This could potentially lead to performance issues. Please provide more details about your actual authentication flow so we can better understand your specific requirements.
- Recommendation: We recommend using a JWT-compatible authentication system. Even if you implement a custom in-house JWT, KrakenD can perform more efficient authorization. KrakenD only needs the public key (JWK) to validate the encrypted JSON token, eliminating the need to reach the identity service to validate the session ID with each request.
- Alternative Solutions: If using JWT is not possible, you can achieve your requirement with either:
- Sequential Proxy: Implement a sequential proxy to first call the authentication service and then proceed to the actual server if the session ID is valid. More details can be found here.
- Custom Plugin: Develop a custom plugin to handle the authentication process. Documentation for extending KrakenD with custom plugins is available here.
In conclusion, while it is feasible to authenticate by invoking an API, it is not recommended to design an authentication process that requires an additional request to the authentication API for each request to the gateway. A JWT-based approach would be more efficient and scalable.
Best regards,
| Albert García | Business Director |
|
| |
Confidentiality Notice: This email, including any attachments, may contain confidential and privileged information for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender immediately and destroy all copies of this email. Thank you. This email has been sent in accordance with the European Union General Data Protection Regulation (EU GDPR).