Bearer only clients

[lodrantl]

Now that this plugin supports token introspection, it would be useful to allow setting up bearer token only clients. This would mimic Keycloaks native bearer_only adapter setting.

Instead of redirecting in case of bad or unexisting token, a 401 HTTP error would be thrown with a WWW-Authenticate header also set.

I am preparing a PR for this issue. Opinions?

[Trojan295]

Hey,

Good idea! The introspection feature has currently only basic functionality. It's nice someone's trying to use it. I like the idea with the WWW-Authenticate header.

In general I see two options how people could use this:

1. Use the standard OIDC Authorization Code grant, but enable also optional Bearer token verification and allow such requests (that's what currently is)
2. Use only the Bearer only mode

To enable mode 1) it's required to set the introspection_endpoint and I'm thinking how setting 2) could look like. The simplest option is to define an optional bool field. But in mode 2) many of the configuration option are not necessary. I would define a config field, which would denote the mode of operation of the plugin (active/bearer_only) and based on this other configuration parameters would be required. The active mode would work like now, which for the bearer_only mode the introspection_endpoint would be required and the WWW-Authenticate header would be required.

WHYT?

@tecnobrat, I think this could be something you are interested in. Any thoughts?

[lodrantl]

In the PR I referenced, the changes are following:

• added a bearer_only configuration field (yes/no)
• if client is bearer_only and introspection fails return 401 with WWW-Authenticate set to Bearer realm="kong",error="' .. err .. '"' where err is the introspection error

In this mode only introspection_endpoint, client_id andclient_secret are required. I also like the idea of a configurable WWW-Authenticate header.