Is it feasible to perform authentication in KrakenD by invoking an API?

Question

My scenario involves clients providing a session ID, which we must pass to our authentication service. The authentication service will then validate the session ID. If the session ID is valid, we proceed to access the actual server, otherwise, we return an error to the client.

Answer 1

Yes, it is feasible to perform authentication in KrakenD by invoking an API. However, there are some considerations to keep in mind:

1. Performance Concerns: Each authenticated request to your services will result in two calls—one to the authentication API service and one to the actual protected service. This could potentially lead to performance issues. Please provide more details about your actual authentication flow so we can better understand your specific requirements.
2. Recommendation: We recommend using a JWT-compatible authentication system. Even if you implement a custom in-house JWT, KrakenD can perform more efficient authorization. KrakenD only needs the public key (JWK) to validate the encrypted JSON token, eliminating the need to reach the identity service to validate the session ID with each request.
3. Alternative Solutions: If using JWT is not possible, you can achieve your requirement with either:
   • Sequential Proxy: Implement a sequential proxy to first call the authentication service and then proceed to the actual server if the session ID is valid. More details can be found here: https://www.krakend.io/docs/endpoints/sequential-proxy/
   • Custom Plugin: Develop a custom plugin to handle the authentication process. Documentation for extending KrakenD with custom plugins is available here: https://www.krakend.io/docs/extending/

In conclusion, while it is feasible to authenticate by invoking an API, it is not recommended to design an authentication process that requires an additional request to the authentication API for each request to the gateway. A JWT-based approach would be more efficient and scalable.