Every principal carries some combination of credentials, identities, and metadata.
Credentials are secrets a principal presents at authentication time.
You need an API Gateway configured in Konnect to use credentials because the gateway checks them directly against the directory and authenticates the principal.
Kong Identity supports the following credential types:
-
Username and password: A principal can have up to two passwords per username to support rotation. Principals in the same directory can’t share a username.
-
API key: Each API key must be unique within a directory.
API keys can be system-generated by Kong Identity or imported with a custom secret value.
A single principal can have multiple credentials, including multiple credentials of the same type.
To authenticate using a credential, a principal must exist in the target directory with a matching credential set.
Identities are how other systems recognize the principal.
Kong Identity uses them either:
- For lookup after authentication has already happened somewhere else (like a third-party IdP).
- To link a principal to an entity in another Kong product.
You can add identities to the principal as a separate resource after you’ve created a principal.
Kong Identity supports the following identity types:
|
Type
|
API value
|
Description
|
|
OIDC
|
oidc
|
References a principal authenticated by an external IdP, such as Okta or Cognito. Identified by the token’s issuer URL and a configurable claim (claim name and value). Most commonly the claim is sub, but any claim in the token can be used for lookup.
|
|
Auth server client
|
auth_server_client
|
References a Kong Identity auth server client in the same region. Identified by the auth server ID and client ID.
|
|
Consumer
|
control_plane_consumer
|
Links the principal to a Consumer in a specific Kong Gateway control plane. Use this identity to apply existing Consumer-scoped plugins to a principal’s traffic.
|
|
Custom
|
custom
|
A user-defined key and value, used to look up a principal by an identifier from an external system. For example, a sasl_username key with value john lets Event Gateway match a SASL-authenticated Kafka client to a principal.
|
A single principal can have multiple identities, including multiple of the same type.
Lookup caching and time-to-live (TTL): Kong Identity caches principal lookups, so additional lookups don’t require a connection to Kong Identity until it evicts the cache. For Kong Gateway, the eviction rate depends on the smallest of the following:
- The TTL set on the directory (10 minutes by default)
- The TTL set on a credential
- The caching configuration on Kong Gateway. Cached principals are in the general cache pool which can be configured by setting
db_cache_ttl.
Principals centralize the concept of an authenticating entity across Kong products.
Each product has its own representation of who is authenticating.
For example, Kong Gateway has Consumers and Consumer Groups:
Kong Gateway Consumers have limitations that principals can address:
-
Scale beyond Consumer limits: Users with large populations of authenticating entities can exceed the Consumer control plane limits. Consumers are loaded into data plane memory while principals are loaded on demand when they authenticate.
-
Share identity across gateways without manual sync: When the same entity needs to authenticate to multiple gateways, Consumers must be replicated. A principal lives in one directory and can be referenced from any gateway in the same region.
-
Unify identity across Kong products: Consumers and applications each represent the same logical entity in different ways, which makes it hard to reason about authentication, policy, and observability together. Principals replace that with one model.
-
Attach metadata to identity: Consumers don’t support metadata, which forces custom plugins or header-injection workarounds when you want per-entity rate limits, conditional plugin behavior, or richer logs. Principals support metadata natively.
Metadata is a set of key-value pairs associated with a principal. Kong Identity authenticates or looks up a principal, then makes the metadata available in the request context of a Kong Gateway or Event Gateway.
You can use metadata to configure how a gateway behaves when that principal is authenticated to it.
For example, a Request Termination plugin can block access only when principal.metadata.business_unit == "payments".