The Basic Authentication plugin adds username and password protection to your APIs. Give it a try and discuss it here!
Hi Guys, is it possible to update credentials (username or password) without needing to delete a consumer?
@QiQe_Garbi Hi,
Definitely. The Admin API follows RESTful practices; the following endpoint accepts GET as well as PATCH requests:
/consumers/{consumer id or username}/basic-auth/{credential username or id}
Example:
$ curl -X PATCH \
--url http://kong:8001/consumers/bob/basic-auth/55283d7e-dc92-11e7-b1fe-0fb516a46133 \
-d "username=alice" \
-d "password=new_password"
2 Likes
Thanks @thibaultcha , I was trying the same but with a missing consumer at the end. Is that info in your docs? I couldn’t find it
Hi @QiQe_Garbi - indeed you noticed that our docs at https://getkong.org/plugins/basic-authentication don’t explicitly describe PATCHing - sorry about that!
We welcome Pull Requests to improve Kong’s documentation - see https://github.com/Kong/getkong.org
Is there a way to configure a service to use basic auth on downstreams only? For example, you may want integrate an API that uses basic auth with kong but avoid using basic auth in the exposed service in kong. This way:
- API endpoint https://my.example.com/api/v1/foo has basic auth already enabled
- Create a Kong service at https://my.kong.com/example that proxies request with basic auth
- Optionally, create consumers and secure the kong service with any kind of authentication (even none).
Hi @gentunian - I think you may be getting no replies on your post because it is hard to understand what problem you are trying to solve (I know I can’t understand it!). Can you try to clarify?
hey there @Cooper, thanks for the suggestion.
I was wondering if it was possible to use basic auth plugin only in the forwarding request to the APIs endpoints. I will try to clarify:
tl;dr
- an API that uses basic authentication at https://foo.api.com/v1/some/REST/path
- Kong Api Manager that will route requests to that endpoint at https://kong.example.com/foo
- Add any authorization for that kong service and proxy the request to the API with a hardcoded basic auth
This way, kong service is using basic auth only on downstreams and using any auth up front.
example
To consume/use the API you will do something like:
curl -H 'Authorizaction: Basic Ajasfualshfna=' https://foo.api.com/v1/some/REST/path
Now, you want to use your API through Kong and possibly with another auth or maybe just none. That would be:
# use kong with key-auth plugin and kong will check the
# consumer api key for that service and then proxy the request
# to the API with the adequate Authorization header.
curl -H 'My-Key: jehOahYd821Asna' https://kong.example.com/foo
Something like:
Hi,
It seems to me like you are describing the use case solved by this plugin:
I hope it answers addresses your use-case 
PS: This plugin is maintained by a community member, so if you have issues or questions with it, please open an issue in the repository, as there is nothing we can do to assist.