Hello Kong Nation,
I’m finally playing with my kong gateway and want to apply the following regular access management.
Let’s say I have 2 objects
/objects/1
/objects/2
and 2 consumers
Consumer 1, identified by a JWT Token 1, should only be able to get /objects/1
Consumer 2 identified by a JWT Token 2, should only be able to get /objects/2
The problem is quite simple, however, I’m not sure about the proper way to do this with Kong, even if I read a lot about that.
I see 2 approaches :
-
2 differents routes, then ACL plugin on both to check if token match the requested ressource
-> Unsustainable if I need to manage billions of objects -
1 single route /objects/* but then my backend will have to check if this jwt token can access this ressource, maybe through some kind of ACL backend
-> In that case, can Kong do this check with a dedicated plugin (pre-request action) and block the request before?
Thanks for any help! I just hope the answer is not obvious