Baoyuantop commented on issue #12908: URL: https://github.com/apache/apisix/issues/12908#issuecomment-3770767462
Hi @Ronan-WeScale, thanks for the detailed feature request! I'd like to share some technical observations: API Key vs Bearer Token are different authentication mechanisms. API Key authentication is a simple static key mechanism with no standard specification governing its transport format. It's typically passed via custom headers (like X-API-KEY or apikey) or query parameters. Bearer Token is defined by RFC 6750 as part of the OAuth 2.0 framework, designed for dynamically issued access tokens with expiration and specific security requirements. The key-auth plugin is designed for API Key authentication, not OAuth 2.0 Bearer tokens. Using Authorization: Bearer <api-key> would mix two different authentication concepts - the Bearer scheme, per RFC 6750, should carry OAuth 2.0 access tokens rather than static API keys. If you need Bearer token authentication, APISIX already provides more appropriate plugins: 1. jwt-auth - for JWT-based authentication 2. openid-connect - for full OAuth 2.0/OIDC support -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
