Authentication Chaining


Need a help on one of the requirement. We would like to chain LDAP and OATH2 authentication.

Steps Followed

Registered 2 APIs in KONG say API-1 and API-2.

Created a LDAP plugin and associated it with the API-1.
Created a OAUTH2 auth plugin and associated it with the API-2.

Accessed API-1 with username and pwd, ldap plugin authenticated successfully and requested proxied to upstream.

However, we do not want the request to be proxied to upstream, instead once ldap authenticated, plugin needs to respond with success response to the client. Post that we would like to generate access tokens and use the tokens to access API-2 which would proxy to upstream and the flow continues.

Couple of things,

  1. Is there any way to skip upstream proxying after LDAP authentication and return back response to client.
  2. Post LDAP authentication, Is there a mechanism to use upstream url as kong endpoint which generates accesstoken. So that my LDAP authentication and accesstoken generation would be done with a single request and the access tokens can be used for further proxying.

on 1: please have a look at the request-termination plugin. If you configure it to return a “200 OK”, then the client knows authentication succeeded. And Kong will not proxy to the upstream.

on 2: there is no Kong plugin that does this currently. So look for a community plugin that maybe does that. or alternatively write your own custom plugin that creates and returns the token.


…So look for a community plugin that maybe does that…

One good place to find community plugins is