API Key auth

[zhaohuabing]

Title: API Key auth

Description:
An HTTP filter to support API Key auth. The API key authentication filter can be used to authorize HTTP requests using the provided API key in the request. API keys are a simple and widely used method in web services to ensure that only authorized applications and users can interact with the API. It would be beneficial if Envoy could support this feature.

An API key is a token that a client provides when making API calls. The key can be sent in the query string:

GET /something?api_key=abcdef12345

or as a request header:

GET /something HTTP/1.1
X-API-Key: abcdef12345

or as a cookie:

GET /something HTTP/1.1
Cookie: X-API-KEY=abcdef12345

[optional Relevant Links:]

https://swagger.io/docs/specification/authentication/api-keys/
envoyproxy/gateway#2630

[mattklein123]

What exactly do you want this filter to do?

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[zhaohuabing]

What exactly do you want this filter to do?

Hi @mattklein123 Thanks for looking into this issue and sorry for my delayed response.

The API key authentication filter can be used to authorize HTTP requests using the provided API key in the request. API keys are a simple and widely used method in web services to ensure that only authorized applications and users can interact with the API. It would be beneficial if Envoy could support this feature. There are also some users asking for this feature in envoy gateway. envoyproxy/gateway#2630

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.

[sanposhiho]

Hi 👋
I'm coming from envoyproxy/gateway#2630, interested in realizing it.
Actually I'm researching other competing gateways, and actually Key auth functionality is one of the gaps that some other implementations implement, while the envoy doesn't. So, I believe it's worthy enough.

I can take an implementer part, would any maintainer be willing to help in reviewing etc to promote it?

[gecube]

It is very pity that we don’t have reliable and out-of-box way to use api keys in envoy proxy.

[arkodg]

although API Key Auth is not the most secure or the most performant way to do authn & authz, its still used in existing brownfield environments and also as an additional auth mechanism like the one outlined here, so having support for it would unblock migration to envoy proxy.
Here are the requirements that necessitates a new filter instead of reusing an existing one like the RBAC filter

• Ability to read the API key from a header, cookie, or query param
• Provide a list/map or allowed API Keys similar to what BasicAuth has
• Provide a way to forward the Client id linked to the the API key similar to what Basic Auth has

[gecube]

Agree, that it is essential functionality.

[wbpcode]

I agree this is essential functionality. I can help with the review if someone want to contribute.

[sanposhiho]

Thanks @wbpcode! I'll ping you when I create the PR.