Implements anonymous behavior

[pariviere]

The plugin must allow the execution of other authentification that run after.

It is usually implemented by the config.anonymous parameter which can be found in other authentification plugin.

[Yorlin974]

Hello @pariviere ,

401 still occured

Jul 26 14:43:02 UAGWRRP1 kong[57461]: {"tries":[],"consumer":{"created_at":1654241046,"id":"5ee84acc-382e-4401-affd-25a2cac0923b","username":"anonymous"},"latencies":{"proxy":-1,"kong":29,"request":29},"started_at":1658832182004,"response":{"headers":{"server":"kong/2.4.0","vary":"Origin","content-type":"application/json; charset=utf-8","content-length":"26","connection":"close","x-kong-response-latency":"29"},"status":401,"size":246},"client_ip":"10.241.46.123","upstream_uri":"/status","service":{"created_at":1654241046,"updated_at":1654241046,"name":"svi-facade-preprod-service","connect_timeout":60000,"write_timeout":60000,"read_timeout":60000,"id":"f27478d9-72c8-4fd7-9565-64dc59e66021","retries":5,"host":"svi-facade","port":443,"protocol":"https","ws_id":"0246cf14-d412-45e3-8b52-d2c113430f74"},"route":{"created_at":1657198184,"updated_at":1657198184,"path_handling":"v0","protocols":["http","https"],"https_redirect_status_code":426,"id":"4068fb8e-0864-4392-a063-00c9ecf81d5c","paths":["/sviFacade-preprod/v1"],"name":"svi-facade-preprod-route-v1","service":{"id":"f27478d9-72c8-4fd7-9565-64dc59e66021"},"strip_path":true,"request_buffering":true,"response_buffering":true,"preserve_host":false,"regex_priority":0,"ws_id":"0246cf14-d412-45e3-8b52-d2c113430f74"},"request":{"uri":"/sviFacade-preprod/v1/status","headers":{"postman-token":"e4cc94c3-ea47-4751-a192-bbde15049094","accept-encoding":"gzip, deflate, br","x-consumer-username":"anonymous","authorization":"REDACTED","x-anonymous-consumer":"true","x-consumer-id":"5ee84acc-382e-4401-affd-25a2cac0923b","connection":"keep-alive","host":"gwapi-ua.si.reunion.ftm.francetelecom.fr","user-agent":"PostmanRuntime/7.29.2","accept":"*/*"},"size":329,"querystring":{},"tls":{"version":"TLSv1.3","cipher":"TLS_AES_128_GCM_SHA256","client_verify":"NONE"},"method":"GET","url":"https://gwapi-ua:8443/sviFacade-preprod/v1/status"}}

Any idea ?

[pariviere]

Hello,

Can you be more specific ?

You have to use anonymous config if you want to allow the use of other authentication plugin like basic-auth.

The following declarative configuration works great with the last version of the plugin

_format_version: "1.1"
services:
  - name: mockbin-service
    url: http://mockbin.org
    routes:
      - name: mockbin-path
        paths:
          - /
        preserve_host: false
        protocols:
          - http
          - https
plugins:
  - name: basic-auth
    config:
      anonymous: anonymous
  - name: jwt
    config:
      anonymous: anonymous
  - name: jwt-ext
    config:
      anonymous: anonymous
      scopes_claim: roles
      scopes_required: 
        - administrator
      claims_headers:
        - iss:x-jwt-iss
        - sub:x-jwt-sub
        - scope:x-jwt-scope
        - "client_id: x-jwt-client-id"
        - application_roles:x-jwt-roles
        - _validated_scope:x-jwt-validated-scope

consumers:
  - username: anonymous
    plugins:
      - name: request-termination
        config:
          status_code: 401
  - username: demo_basic
    basicauth_credentials:
     - username: foo
       password: bar
  - username: demo_jwt
    jwt_secrets:
      - key: demo_key
        algorithm: HS256
        secret: demo_secret

With this configuration :

• if no basic auth nor jwt is found : 401
• if basic auth can not validate credential: 401
• if JWT is not verified: 401
• if JWT-ext can not validate scope claim: 401
• Valid basic auth: 200
• Valid JWT and JWT-ext: 200

[pariviere]

NOTE : with e9a481a4d9f5611166593313c177fa0f3f5f0762 jwt-ext was not executed if jwt can authenticate user. It should be fixed with 6be69af311abe989c90b0e503dd33c38a281477c