Rest Authentication

[kinncj]

Summary

Configure a payload where an auth key is sent (as the key authentication plugin) and a 403 is returned in case of failure.

[subnetmarco]

@kinncj did you have any problem with the Key Authentication plugin?

[kinncj]

No...
This was done through the "Suggest Plugin" button (https://getkong.org/plugins/) which is pretty bad btw.

My plugin suggestion is a Rest Authentication, where you can define an URL that will handle authentications (or even a previously configured API) and return the proper status code, so kong knows when the user got authenticated or not.

This way, for every API request that has the plugin enable, 2 requests would be made... one for authentication, the other to the actual configured API.

It would match (a bit) with this ticket #155

In my case, I want my "/authenticate" endpoint to be called before every configured API call, instead of using Kong's authentication plugins (we handle our own authentication).

[subnetmarco]

@kinncj I see - I have a few questions:

1. Would this endpoint be invoked once and then the result cached for a specific amount of time before being requested again?
2. Should this endpoint cache the result indefinitely and provide an invalidation endpoint that you can invoke to de-authorize the user?
3. The third, but bad, solution would be to invoke the /authenticate endpoint every-time but it will add latency on every request.
4. Should the /authenticate endpoint send you the full request, or only specific headers, specific query-string or form parameters?

[kinncj]

@thefosk , can be every-time if it's easier.

Let's not call it /authenticate, my bad, but this will make a confusion.

Let's call it /authorized.

My api will be named test and will have the upstream as http://localhost:8080/users and path /users
My authorization endpoint will have as the upstream http://whateverhost:9000/authorized
can receive an access_token through query string or a Bearer authorization header.

Would be nice if I add theRest Authentication plugin to test, so every-time someone calls /users we forward the querystring + headers to /authorized which is my own code and will deal with the querystring and headers info (Bearer authorization let's say), it will return back the status code, which could be 401, 403, 407 for Unauthorized, or any 200/300 for success.

if success, it forwards the request to http://localhost:8080/users, otherwise, return the error message retrieved from /authorized

makes sense?

[faabiosr]

Good ideia @kinncj 👍

You have any kind of ideia about caching the /authorized request?

I say this because Kong will make a lot of requests for /authorized.

[kinncj]

I believe it should be configurable.
The api can always hit, can cache based on a config or cache based on token's TTL.

[udangel-r7]

I really like that, this would allow fine grained authorisation to resources

[rahil471]

This is perfect! We have our own lite-weight API gateway that does this.
Was thinking to move to kong for bigger projects, the 1st thing I was looking was this feature, but unfortunately, couldn't find it, and came across this thread.

In fact, there should be a feature that allows calling any 3rd party endpoint or multiple endpoints. The plugin should take action based on HTTP codes.