Currently we are using Kong to make App-to-App authorization with a oauth2 client credentials flow, this authorization is made by a plugin that check the “Authorization” header. Now we want to use Openid Connect to our User-to-App authorization case using the Kong JWT Plugin, but the Kong JWT Plugin use the same “Authorization” header to get the client token. We need to keep the two authorization layers, but the header name conflicts.
I saw that’s possible use a querystring or the cookie header to get the user token on Kong JWT Plugin, but on our use case the better approach would be use a custom header to pass the token to Kong JWT Plugin.
What do you think about add a “custom_header” field to jwt plugin schema to support the use case whereupon we already have a authentication layer using the default Authorization header? At first we will fork the Kong JWT Plugin to validate our case, but we want to submit a PR to support this feature.