All Products
Search

This Product

    API Gateway:Overview

    Document Center

    API Gateway:Overview

    Last Updated:Jan 07, 2025

    This topic provides an overview of the authentication methods supported by Cloud-native API Gateway.

    In the microservices architecture, external users (clients) send requests to services. However, the services are not exposed to the clients. Gateways are deployed between clients and servers to control access. The gateways authenticate external requests based on customizable access control policies.

    Gateway authentication methods

    Cloud-native API Gateway supports multiple authentication methods, including JSON Web Token (JWT) and custom authentication.

    • JWT

      Cloud-native gateways provide a mechanism for authorized access to your APIs based on JWTs. You can use this mechanism to customize security settings. Cloud-native API Gateway verifies the identities of API callers and determine whether to return requested resources to them. Tokens are used for identity authentication. When tokens are used, applications do not need to retain user authentication information or session information on the server side. This implements stateless and distributed web application authorization and facilitates application extension.

      For more information, see Configure JWT authentication.

    • OIDC

      OIDC is an authentication protocol. Based on this protocol, third-party applications can connect to identity providers to obtain user information, and then identity providers send the obtained user information to the third-party applications in a secure and reliable manner. OIDC extends the OAuth2.0 protocol to provide basic user identity information by using the extended ID Token field. ID Token is encapsulated in JSON Web Token (JWT) format to provide a self-contained and tamper-proof mechanism. This ensures that ID Token can be securely transmitted to third-party applications and easily verified.

      For more information, see Configure OIDC authentication.

    • Custom authentication

      If tokens contained in client-side requests are in a custom format, after your servers receive requests, the servers must access a unified authentication service to authenticate the tokens. You can connect cloud-native gateways with a custom authentication service to centrally manage the authentication of all your backend services.

      For more information, see Configure custom authentication.