Allow only specific consumers on a route

Hello everyone!

Let me explain our scenario:

We have an endpoint called, for example, /superSecure.
We want that endpoint to have basic authentication but ONLY for certain consumers.
Every consumer not selected to go to the basic authentication step should be automatically blocked.

We tried to accomplish that with the basic-auth plugin but we weren’t able to do the last part of targeting only specific consumers. We always get the same error when we try to set something in the “comsumer” field:

“schema violation (consumer: value must be null)”

Just for the records, we are using Konga for managing kong but with cURL we are also receiving the same error. And our Kong is on kubernetes.

Thanks in advance.

Hey @alesanchez, welcome to Kong Nation!

Authentication plugins cannot be applied on consumers - note they have a no_consumer attribute.

From what I understood about the use case, the following will accomplish it - applying the auth plugin on the route or the service (given you want all consumers without a credential to be blocked):

  • Create a route/service:
curl localhost:8001/services --data name=s1 --data url=https://httpbin.org
curl localhost:8001/routes --data name=r1 --data service.id=95f9114f-e957-470f-96e3-2fde45a04941 --data paths=/
  • Enable the basic-auth plugin on the route (or the service, if you want the plugin to be applied to all requests targeting that service):
curl localhost:8001/routes/r1/plugins --data name=basic-auth
  • Create a Consumer:
curl localhost:8001/consumers --data username=c1
  • Create a basic-auth credential for that consumer:
curl localhost:8001/consumers/c1/basic-auth --data username=u1 --data password=pass

Having done this, all requests without the credential will be blocked:

$ curl -I localhost:8000/status/200
HTTP/1.1 401 Unauthorized
Date: Tue, 09 Jun 2020 19:37:47 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
WWW-Authenticate: Basic realm="kong"
Content-Length: 30
X-Kong-Response-Latency: 4
Server: kong/2.0.4

Now, if you add the Authorization header, as expected, the request will be authorized:

$ curl -I localhost:8000/status/200 -H "Authorization: Basic dTE6cGFzcw=="
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Date: Tue, 09 Jun 2020 19:39:19 GMT
Server: gunicorn/19.9.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
X-Kong-Upstream-Latency: 601
X-Kong-Proxy-Latency: 33
Via: kong/2.0.4

Let me know if that helps!

Thank you very much for your answer!! Ok, it makes sense. But one last question. That means that every user with basic auth credentials is going to be able to log in with those credentials to any route protected by the basic auth plugin, am I right?

That is correct, @alesanchez. This might also be useful to you: https://docs.konghq.com/2.0.x/auth/#anonymous-access - if you haven’t already read. Happy Konging! :gorilla:

1 Like

© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ