Our scenario is as follows:
We have a large number of services that we want to use Kong to route to.
/service-1 goes to service1.myapi.com
/service-2 goes to service2.myapi.com
/service-n goes to servicen.myapi.com
By default, we want everything to be authenticated. For this, we are leveraging the OpenID-Connect plugin. Initially, this was set up with a target of Global.
However, there are a number of routes that we want to be unauthenticated (allow anonymous), for example /service-1/health and /service-2/echo.
At first, we tried changing the OpenID-Connect plugin to have a target of scoped, but we could only target a single route. Regardless, ideally we’d be able to protect everything by default, and only explicitly expose routes (i.e. target global EXCEPT).
What he have tried so far, is having 2 gateways. The first (auth-gateway) has a / route set up that has the OIDC plugin enabled, and a few explicity unsecured routes that don’t have the plugin enabled. All of these routes forward traffic to the second gateway (routing-gateway), which pays no attention to authentication, but routes the request to the correct upstream. However this solution feels quite convoluted for what we’re trying to accomplish.
What is the best way to tackle this situation?