Closed lodrantl closed 6 years ago
Hey,
Good idea! The introspection feature has currently only basic functionality. It's nice someone's trying to use it. I like the idea with the WWW-Authenticate header.
In general I see two options how people could use this:
To enable mode 1) it's required to set the introspection_endpoint
and I'm thinking how setting 2) could look like. The simplest option is to define an optional bool field. But in mode 2) many of the configuration option are not necessary.
I would define a config field, which would denote the mode of operation of the plugin (active/bearer_only) and based on this other configuration parameters would be required. The active mode would work like now, which for the bearer_only mode the introspection_endpoint
would be required and the WWW-Authenticate header would be required.
WHYT?
@tecnobrat, I think this could be something you are interested in. Any thoughts?
In the PR I referenced, the changes are following:
Bearer realm="kong",error="' .. err .. '"'
where err is the introspection error In this mode only introspection_endpoint
, client_id
andclient_secret
are required. I also like the idea of a configurable WWW-Authenticate header.
Now that this plugin supports token introspection, it would be useful to allow setting up bearer token only clients. This would mimic Keycloaks native bearer_only adapter setting.
Instead of redirecting in case of bad or unexisting token, a 401 HTTP error would be thrown with a WWW-Authenticate header also set.
I am preparing a PR for this issue. Opinions?