-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow multiple authentication methods per API and/or Consumer #590
Comments
👍 |
This exact use case was presented today during a Kong POC meeting. |
We need #505 (and we need it to be done right) for this. |
Some other issues mentioned similar concerns and reference this one. It is worth also browsing them for additional concerns and requirements for multiple authentication methods. |
Hi, i just want to provide some additional information which can be useful.
When we add up all those policies, server side receives following headers:
--the followin are due to the JWT What I now miss -in order to setup an tenant/application context-, is the consumer-id of the consumer for key-auth. Because of the use of JWT, my consumer-id will be set with the consumer for the JWT token. can we prioritize policies in an order to apply? regards, |
+1 |
👍 |
Would love to see an update on this... Has been quite a long time since there was action and there is no proposal for how it will work. |
Well, maybe if we create a plugin with high priority and this plugin is responsible for manage the auth chain, when you enable this plugin, you should set the list of auth types and the order of this list is the priority, see the example bellow:
It's necessary to enable authentication plugins first. |
The new 0.10RC has multiple auth, in a logical OR fashion. In that case if it remains unauthenticated, it will still proxy, but will set a header that it is an anonymous user (you can set which consumer to use as the 'anonymous' one) see https://github.com/Mashape/getkong.org/pull/309/files |
@Tieske is there anyway to configure the API so that at least one auth methods must have succeeded to proxy? |
not yet, but that could be done with #2051 If you'd attach that to the consumer defined as |
That feels a bit hackish to me. Would be really nice if you can a only_allow_access_if_authenticated to an api, but would be difficult to implement with the really nice modular structure of plugins that is now in use. |
implemented using the anonymous consumer. In 0.10 already... |
I've had a bit of a play and while it seems to work, if you don't provide any authentication and you're using the ACL plugin you get an error (#2547). If you wish to have an authenticated API secured by one of two methods and disallowing anonymous auth you'd expect a HTTP 401 response if you hit the endpoint without supplying credentials (which is what happens if you're hitting an API secured by only one auth method), but this doesn't happen currently. Aside from the ACL bug (arguably it should look up the anonymous consumer id which would let a proper ACL lookup happen), that would then return a HTTP 403 if that issue is resolved. There should be a way to differentiate between an API that allows anonymous access, key login and basic auth from an API that allows key login and basic auth but disallows anonymous auth. |
@nvx #2547 was just closed, fixed by #2722 in 0.11RC2.
You should configure the |
Ah that'll do it. So enable the request termination plugin for that API and the anonymous consumer? Does sound like a better option than relying on a side effect of the ACL plugin. |
as an API provider, I need to protect my end users through an authentication scheme (such as basic auth) but also provide a developer/partner level authentication (such as key auth)
Kong needs to authenticate both consumer objects (representing both the end user and the developer/partner)
The text was updated successfully, but these errors were encountered: