Skip to content

AuthenticationFilter: Basic Auth #4056

New issue
New issue
Open
Epic
Open
AuthenticationFilter: Basic Auth#4056
Epic
Labels
enhancementNew feature or requestepicRepresents an epic. Contains sub-issueshighlightRelates to features that should be promoted despite not being an epic
Milestone
v2.3.0
@mkingst

Description

@mkingst
mkingst
opened on Oct 10, 2025

User Story
As a developer or system administrator, I want to secure my applications deployed behind NGINX Gateway Fabric using a simple and configurable authentication mechanism, so that I can ensure that only authorised clients can access my applications with minimal effort.

Goals
The goal of this feature is to extend the functionality of NGINX Gateway Fabric by introducing an Authentication Filter, starting with support for Basic Authentication (BasicAuth). This feature aims to secure client requests by requiring valid credentials using the HTTP Basic authentication scheme, laying the foundation for additional authentication mechanisms in the future.

Background
Authentication is a foundational requirement for securing services in modern microservice architectures, and is a commonly used NGINX feature. NGINX Gateway Fabric currently lacks native support for robust authentication mechanisms. Basic Authentication (BasicAuth) is a straightforward and commonly used method to protect resources with username/password credentials. By introducing BasicAuth into the NGINX Gateway Fabric, users can enforce access controls for their APIs while leveraging Kubernetes-native constructs like secrets for secure credential storage.

This feature provides an essential starting point for authentication functionality within NGINX Gateway Fabric, enabling seamless integration into existing workflows. It also establishes a foundation for future extensions to support advanced authentication schemes.

Requirements

  • Implement a Basic Authentication mechanism in NGF using the ngx_http_auth_basic_module.
  • Enable users to configure BasicAuth policies via a YAML-based AuthenticationFilter.
  • Ensure seamless integration with Kubernetes secrets for authentication credentials (e.g. htpasswd).
  • Establish predictable merging behavior when multiple BasicAuth filters are referenced.

Filter Behavior:

  • Rejection of Unauthorized Requests: Requests missing valid credentials in the HTTP Authentication header will be rejected with an HTTP 401 status.
  • Compatible with HTTPRoutes: The BasicAuth filter will apply to HTTPRoute resources directly, adhering to the Gateway API standards and configuration model.

User Experience
The BasicAuth policy will allow users to configure NGINX Gateway Fabric to authenticate client requests using HTTP Basic authentication. An example YAML configuration is as follows:

apiVersion: [gateway.nginx.org/v1alpha1]
kind: AuthenticationFilter
metadata:
  name: basic-auth-filter
spec:
  basicAuth:  
    secret: htpasswd-secret  
    realm: "My API"

The above should configure NGINX to authenticate client requests using the HTTP Basic authentication scheme.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestepicRepresents an epic. Contains sub-issueshighlightRelates to features that should be promoted despite not being an epic

    Type

    Epic

    Projects

    NGINX Gateway Fabric

    Status

    🆕 New

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions