I don’t think this will work OOTB with Kong. The anonymous user function is a backdoor to allow unauthenticated calls to still pass. But say I wanted to authenticate both OAuth2.0 CC pattern AND HS256 generated JWT client creds via Kong plugins for consumers.
My first thoughts are make a new plugin on the side(call it multi-auth or w/e). Then have in the handler a check of the authorization header and depending on its length(Oauth vs jwt, oauth2 has a shorter token length 100% of the time) invoke the handlers of the oauth2 / jwt plugin code? But that does not make sense because the plugins themselves need to be on the route too right(with their own conf’s)?
So maybe I need to add OAuth2 + JWT plugins on the route AND a multi-auth plugin that runs before the both of them to then invoke the other plugins handler methods manually(which will then pick up their independent conf’s right?) Ofc multi auth plugin would in theory also need to check and see if the auth header is present and respond with a 401 or w/e if it isn’t and such for some error handling(or just default to oauth2 handler or something for missing header call).
Wish there was an elegant way to support both easily but this makes sense to me based on existing architecture, figured I would get any Kong/community feedback. Anyone else doing this now? Kinda curious what it looks like invoking other enabled plugins from another plugin on a given route/service if anyone has done so.
Edit - Ooo but if I leave the standard auth plugins enabled they would each run after the multi-auth in an unpredictable pattern… maybe add them to the route but leave the jwt / oauth plugins “disabled” so only the multi auth truly runs but the conf for each plugin would still be in the context of the multi-auth handler calls of the other plugins? Hmm maybe even this would not work and I literally have to write a frankenstine of both plugin logic combined… which would be super gross.