Combine OAuth2 with existing serverside Authentication methods

Our API is currently accessible using Basic Authentication directly on the API server itself. The user credentials are stored in our database and we perform credential checking locally.

Now I’ve implemented the OAuth2 plugin using the Kong guidelines. As a first attempt I’ve set this up using a separate route, and everything is working correctly.

Now I want to combine this with the way we currently work, in order to maintain some backwards compatibility for at least several months. So essentially the user can either use OAuth2, or the Authorization header is passed on to the backend for us to do the checking.

I know I can use the “basic authentication” plugin in Kong, but that would require me to recreate all my users as consumers in kong, and keep them synced. Which is too much hassle…

Are there solutions for this?

Answering my own question here, because I have figured it out. I hope it can help someone else.

I’ve created a new kong consumer called ‘anonymous’ (but the name doesn’t matter). I’ve then enabled anonymous access in the OAuth config using the UUID of the consumer. This way, when OAuth fails, it assumes the anonymous consumer is logged in.

Also the ‘hide credentials’ setting in OAuth must be set to false.

In my backend I just ignore the anonymous user, and parse the Authorization headers like I used to.

Good news @zetisam, thanks for sharing!

For others that find this thread, you may care to also review Kong’s documentation on Anonymous Access.

Didn’t come across that link in my searches (was looking for stuff like ‘passthrough’ etc, not ‘anonymous’).
Reading the article in the documentation clears things up :slight_smile:

The multiple authentication bit is also very useful