Should be able to specify whether a plugin acts a Proxy-Level Authentication or direct Authentication #460
Comments
subnetmarco
added
the
idea/new plugin
|
How about checking if |
not sure how that's even related!? this should be a choice by the operator to decide what level of Authentication to apply, and with #462 should be able to apply both if wanted. |
|
currently the behavior for oAuth and Basic Auth is only enabled on the
only the |
|
Basic Authentication cannot have an arbitrary header because it violates the spec: http://tools.ietf.org/html/rfc1945#section-10.2 Same thing for OAuth 2.0: http://tools.ietf.org/html/rfc6749 |
It is, since it's a very well standard behavior documented in the spec http://tools.ietf.org/html/rfc2617#section-3.6 We cannot arbitrary translate how HTTP works. |
|
also, allowing to setup a custom
also, the oAuth spec does not even specify a specific header name |
|
also, RFC 2617 is outdated, please stop referring to it and checkout RFC 7235 http://httpwg.github.io/specs/rfc7235.html#challenge.and.response |
again, not the point. the focus here is to allow enabling authentication plugins for proxy level separately from request level. the operator should have the choice to use Kong for either, or both, while retaining any existing authentication in the API service behind Kong. |
|
That's what I recommended doing: check for a |
|
As per OAuth 2.0, it's in the spec: http://tools.ietf.org/html/rfc6749#section-2.3.1
|
|
"May" |
|
this is standard practice for namespacing headers, for example: VMWare uses |
|
If you need something like
So to answer the original question:
It can be done using the Key Authentication plugin. It's not allowed in the Basic Authentication or OAuth 2.0 plugins by specification.
This is correct. We need to add support for |
|
think of "namespaceing" as the key term here ... I want to namespace the oauth header, the spec still applies, but I want to namespace it. hence a relatable example would be Mashape Marketplace, an API could already have oauth on |
Basic Authentication does not allow namespacing in the specification, and because OAuth 2.0 mentions Basic Authentication, then OAuth 2.0 doesn't support namespacing of the Happy to reconsider this if you prove me wrong.
|
|
Lets address this once we're past v. 0.5 and 0.6 since it's not in the current roadmap. If the spec is still valid, and it's just a different header name than is no brainer. |
A different header name for Basic Authentication will invalidate the spec. As far as I am concerned this issue can be closed, but as I said I will be happy to reconsider it if proven wrong. I am pushing support for |
Former-commit-id: b87314ece11371d118ebcf703fdc2fff7b60a3c8
This adds [Kong/lua-resty-events](https://github.com/Kong/lua-resty-events) to kong-ngx-build.
right now all the authentication plugins (basic, oauth) are using the
Authorizationheader, I should be able to customize that header, at the very least, I should be able to configure it to useProxy-Authorizationin case I want to maintain my own authentication scheme in my API service.The text was updated successfully, but these errors were encountered: