Open Obimka opened 5 years ago
Could you elaborate more about this issue? Do you mean a scenario, where there are multiple authentication methods on Kong enabled?
Exactly. Kong documentation specify a parameter "anonymous" (id of Customer) used to redirect to when the authentification failed.
I need this added as well, here are the docs: https://docs.konghq.com/0.14.x/auth/#multiple-authentication https://docs.konghq.com/0.14.x/auth/#anonymous-access Basically they have a scheme where you can set all of your authentication plugins to allow anonymous access for a specific consumer (by id) and then you can set the request termination plugin on that consumer. In that scheme, you can "chain" multiple authentication plugins and it will use the first successful plugin used, or if all fail, it will allow the anaymous consumer which will ultimately get blocked by the request termination plugin, thus disallowing unauthorized access.
Spent the morning hacking up a solution, unfortunately we are actively using Kong 14.1 CE, so I tested/developed against that, using Kong 14.1 source code (OAuth2 plugin) as my guide. If desired I can updated it for the latest 1.X. Heres a link to what I did: https://github.com/JakeEmo/kong-oidc/commit/f0c573c6488e513ed84b2ebbb2086fd0fb3a2933
Also having this issue.
https://github.com/gbbirkisson/kong-plugin-jwt-keycloak allows this feature.
Check for config.anonymous
:
An optional string (consumer uuid) value to use as an “anonymous” consumer if authentication fails. If empty (default), the request will fail with an authentication failure 4xx. Please note that this value must refer to the Consumer id attribute which is internal to Kong, and not its custom_id.
This exact feature is what is missing.
Ok, opened https://github.com/nokia/kong-oidc/pull/160
Example configuration:
_format_version: "1.1"
services:
- name: test-service
url: http://my-service-endpoint
plugins:
- name: oidc
config:
client_id: my-client-id
client_secret: my_client_super_secret
discovery: https://auth.example.com/auth/realms/master/.well-known/openid-configuration
anonymous: 996f6f74-4233-4f45-b5ea-9209892facd1
routes:
- name: test-route
paths:
- /
preserve_host: true
consumers:
- username: anonymous_users
id: 996f6f74-4233-4f45-b5ea-9209892facd1
you get the headers:
x-anonymous-consumer: "true"
x-consumer-id: "996f6f74-4233-4f45-b5ea-9209892facd1"
x-consumer-username: "anonymous_users"
Tested with this dockerfile:
FROM kong:2.0
ENV KONG_PLUGINS=bundled,oidc
ENV KONG_LOG_LEVEL=debug
USER root
RUN apk add --no-cache zip git && \
luarocks install https://raw.githubusercontent.com/ahoulgrave/kong-oidc/allow-anonymous/kong-oidc-1.1.0-0.rockspec
USER kong
Which you can use until a final solution comes up.
Edit: fixed luarocks install url
As far as I can see, the plugin's missing the parameter "anonymous" to implement it in a multi-authorization method in kong.