envoy API Key auth

Title: API Key auth

Description: An HTTP filter to support API Key auth. The API key authentication filter can be used to authorize HTTP requests using the provided API key in the request. API keys are a simple and widely used method in web services to ensure that only authorized applications and users can interact with the API. It would be beneficial if Envoy could support this feature.

An API key is a token that a client provides when making API calls. The key can be sent in the query string:

GET /something?api_key=abcdef12345

or as a request header:

GET /something HTTP/1.1
X-API-Key: abcdef12345

or as a cookie:

GET /something HTTP/1.1
Cookie: X-API-KEY=abcdef12345

[optional Relevant Links:]

https://swagger.io/docs/specification/authentication/api-keys/ https://github.com/envoyproxy/gateway/issues/2630

Jun 25 '24 00:06 zhaohuabing

What exactly do you want this filter to do?

Jun 25 '24 19:06 mattklein123

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

Jul 25 '24 20:07 github-actions[bot]

What exactly do you want this filter to do?

Hi @mattklein123 Thanks for looking into this issue and sorry for my delayed response.

The API key authentication filter can be used to authorize HTTP requests using the provided API key in the request. API keys are a simple and widely used method in web services to ensure that only authorized applications and users can interact with the API. It would be beneficial if Envoy could support this feature. There are also some users asking for this feature in envoy gateway. https://github.com/envoyproxy/gateway/issues/2630

Jul 26 '24 02:07 zhaohuabing

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

Aug 25 '24 08:08 github-actions[bot]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.

Sep 01 '24 08:09 github-actions[bot]

Hi 👋 I'm coming from https://github.com/envoyproxy/gateway/issues/2630, interested in realizing it. Actually I'm researching other competing gateways, and actually Key auth functionality is one of the gaps that some other implementations implement, while the envoy doesn't. So, I believe it's worthy enough.

I can take an implementer part, would any maintainer be willing to help in reviewing etc to promote it?

Sep 25 '24 04:09 sanposhiho

It is very pity that we don’t have reliable and out-of-box way to use api keys in envoy proxy.

Sep 26 '24 22:09 gecube

although API Key Auth is not the most secure or the most performant way to do authn & authz, its still used in existing brownfield environments and also as an additional auth mechanism like the one outlined here, so having support for it would unblock migration to envoy proxy. Here are the requirements that necessitates a new filter instead of reusing an existing one like the RBAC filter

Ability to read the API key from a header, cookie, or query param
Provide a list/map or allowed API Keys similar to what BasicAuth has
Provide a way to forward the Client id linked to the the API key similar to what Basic Auth has