Request to authentication server (not a plugin) before send to upstream

Questions
1

I want to use my own authentication server. Not a kong plugin.
Can I send request for checking authentication to authentication server, before kong send request to upstream uri?

I found https://github.com/pantsel/kong-middleman-plugin, but it seems to have a performance issue.
https://github.com/pantsel/kong-middleman-plugin/issues/7

2

OpenID Connect/External Oauth2 token issuers?:

https://github.com/nokia/kong-oidc
https://github.com/mogui/kong-external-oauth

If you are an enterprise subscriber they have an official ballin plugin too -
https://getkong.org/plugins/ee-oauth2-introspection/

I will also be releasing one too so stay tuned :slight_smile: .

2 Likes
3

Thanks :slight_smile:

4

Hi,

We also had the same requirement, we have handled this using the Custom Plug-in. we have invoked the Authorization server using Lua language. Once the token is validated then only the call will reach to Upstream url.Let me know if you need more details

Thanks
Raj

5

@rajdevdurg Can you please help with the below implementation in Kong

I am trying to implement Kong API Gateway with client_credentails flow. I have a custom auth service that takes care of authentication of clients.

When the client tries to authenticate by presenting the client Id and secret(Basic Auth) in the auth request, I want to route the request to custom authentication service. We have the client information saved in our database and is segregated to different realms(user groups). Implemented an auth-service that validates the client credentials based on the realm and generates a JWT response. JWT has sensitive information so cannot be shared with the client. This auth-service has multiple versions, so we need to route the request to different auth-service endpoints based on the realm(sent in the query parameter) and a custom header.

Once the auth-service returns a JWT response, Kong should be able to generate an oauth token and save the associated JWT in cache. This OAuth token will be shared with the client. When client presents this token in the Authorization header, API Gateway should be able to validate the token and get the JWT that was saved before and inject into to the backend request.

Does Kong support any plugin for this set up? Can you please share the related github links for custom plugins.

6

Can you please help us with the same requirement.

We need to call backend OAUth endpoint. Get the token cache it and then call the Actual backend API endpoint in Kong.

We use Kong for Kubernetes setup with DB mode.