Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing config.anonymous parameter for multi-authentification #79

Open
Obimka opened this issue Nov 5, 2018 · 6 comments · May be fixed by #160
Open

Missing config.anonymous parameter for multi-authentification #79

Obimka opened this issue Nov 5, 2018 · 6 comments · May be fixed by #160

Comments

@Obimka
Copy link

Obimka commented Nov 5, 2018

As far as I can see, the plugin's missing the parameter "anonymous" to implement it in a multi-authorization method in kong.

@Trojan295
Copy link
Contributor

Could you elaborate more about this issue? Do you mean a scenario, where there are multiple authentication methods on Kong enabled?

@Obimka
Copy link
Author

Obimka commented Dec 17, 2018

Exactly.
Kong documentation specify a parameter "anonymous" (id of Customer) used to redirect to when the authentification failed.

@JakeCodeStuff
Copy link

I need this added as well, here are the docs: https://docs.konghq.com/0.14.x/auth/#multiple-authentication https://docs.konghq.com/0.14.x/auth/#anonymous-access
Basically they have a scheme where you can set all of your authentication plugins to allow anonymous access for a specific consumer (by id) and then you can set the request termination plugin on that consumer. In that scheme, you can "chain" multiple authentication plugins and it will use the first successful plugin used, or if all fail, it will allow the anaymous consumer which will ultimately get blocked by the request termination plugin, thus disallowing unauthorized access.

@JakeCodeStuff
Copy link

Spent the morning hacking up a solution, unfortunately we are actively using Kong 14.1 CE, so I tested/developed against that, using Kong 14.1 source code (OAuth2 plugin) as my guide. If desired I can updated it for the latest 1.X. Heres a link to what I did: JakeCodeStuff@f0c573c

@ahoulgrave
Copy link

Also having this issue.

https://github.com/gbbirkisson/kong-plugin-jwt-keycloak allows this feature.

Check for config.anonymous:

An optional string (consumer uuid) value to use as an “anonymous” consumer if authentication fails. If empty (default), the request will fail with an authentication failure 4xx. Please note that this value must refer to the Consumer id attribute which is internal to Kong, and not its custom_id.

This exact feature is what is missing.

@ahoulgrave ahoulgrave linked a pull request Apr 16, 2020 that will close this issue
@ahoulgrave
Copy link

ahoulgrave commented Apr 16, 2020

Ok, opened #160

Example configuration:

_format_version: "1.1"
services:
  - name: test-service
    url: http://my-service-endpoint
    plugins:
      - name: oidc
        config:
          client_id: my-client-id
          client_secret: my_client_super_secret
          discovery: https://auth.example.com/auth/realms/master/.well-known/openid-configuration
          anonymous: 996f6f74-4233-4f45-b5ea-9209892facd1
    routes:
      - name: test-route
        paths:
          - /
        preserve_host: true
consumers:
  - username: anonymous_users
    id: 996f6f74-4233-4f45-b5ea-9209892facd1

you get the headers:

x-anonymous-consumer: "true"
x-consumer-id: "996f6f74-4233-4f45-b5ea-9209892facd1"
x-consumer-username: "anonymous_users"

Tested with this dockerfile:

FROM kong:2.0

ENV KONG_PLUGINS=bundled,oidc
ENV KONG_LOG_LEVEL=debug

USER root

RUN apk add --no-cache zip git && \
    luarocks install https://raw.githubusercontent.com/ahoulgrave/kong-oidc/allow-anonymous/kong-oidc-1.1.0-0.rockspec

USER kong

Which you can use until a final solution comes up.

Edit: fixed luarocks install url

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants