request help: does apisix authentication plugin support multiple authentication methods at the same time #6217
Comments
tzssangglass
changed the title
|
Not supported yet, can you describe the scenario? |
|
比如想使一个服务或者路由既支持jwt-auth 又能支持key-auth 或者也支持hamc-auth |
This is possible, but the OR relationship is something I haven't thought of how to support. |
|
This can be implemented by created another plugin like "auth-combiner", which invokes some specific auth plugins and customize their logical relationships like OR or AND. |
|
In fact, I have doubts about this OR approach, which I now feel adds complexity. Why do you need to support so many authentication methods on only one route? Is the upstream service a compatible SSO service? |
Exactly, we may need some real scenarios to help us to understand this use. |
|
We have a scenario where we are transitioning from an older provider to a newer one, and there will be a transitionary period where we need to support users from both. |
Would you be able to provide a basic example of how one would go about creating a plugin that performs this functionality? |
@tokers are talking about just one porposal |
|
This issue has been marked as stale due to 350 days of inactivity. It will be closed in 2 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions. |
|
This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time. |
|
I'm reopening this issue as I have a specific use case to propose. Our API is protected by the oidc plugin backed by a Keycloack IdP. We now require an anonymous access to the api to allow resource sharing. We want to use the jwt-auth plugin to handle those anonymous access and with the current setup we would need specific endpoint to handle the anonymous request which is not ideal. |
|
It seems an interesting and needed feature for APISIX, already 3 community users asked on APISIX if it is possible to enable Multiple Authentication Methods per API route endpoint. With two different routes with the same URI path "/anything/*" but different plugin configs with Key and Basic Auth, I tested it: This works fine: This does not work: Maybe the route could do an OR if multiple authentication plugins are configured. |
The real-use case scenario could be when KEY/Token is not present in the header for the key-auth/JWT plugin, it should fall back on another auth plugin such as open-id connect for authentication. But currently passing no key/JWT results invalid key and gives a 401 error. |
|
Would be interested in this kind of OR between authentication methods too. Use-case - Host a backend service that can be accessed from browser and some programmatic client too. |
github-project-automation
bot
moved this from 📋 Backlog
to ✅ Done
in Apache APISIX backlog
Issue description
https://docs.konghq.com/gateway/2.7.x/configure/auth/allowing-multiple-authentication-methods/
https://docs.konghq.com/gateway/2.7.x/configure/auth/
测试apisix开启多个认证插件,需要同时满足条件才能通过验证,是and的关系,能否像kong一样,可以设置成or的关系,满足任何一个验证就能通过呢?
Environment
apisix version):uname -a):nginx -Voropenresty -V):curl http://127.0.0.1:9090/v1/server_infoto get the info from server-info API):luarocks --version):The text was updated successfully, but these errors were encountered: