apisix
apisix copied to clipboard
apache
feat: As a user, I want to use forward-auth as part of multi-auth, so that I can keep my route configuration simple
Description
I have OAuth2-Proxy implemented to protect endpoints for front-end and back-end APIs.
The multi-auth plugin is helpful to implement basic-auth and key-auth. However, for front end web app, we would like to use the SESSION cookie set by OAuth2-Proxy via the forward-auth plugin in APISIX to keep the route configuration simple.
It works very well with the below configuration:
// Works!
{
"uri": "/echo",
"name": "api-example",
"plugins": {
"forward-auth": {
"uri": "http://my-release-oauth2-proxy:4180/oauth2/auth",
"request_headers": ["Cookie"],
"upstream_headers": ["Cookie"],
"client_headers": ["Location"]
}
},
"upstream": {
"nodes": [
{
"host": "my-release-api-example",
"port": 1234,
"weight": 1
}
],
"type": "ewma",
"scheme": "http",
"pass_host": "pass"
}
}
But it would be good to also make it work with below configuration:
// Does not work!
{
"uri": "/echo",
"name": "api-example",
"plugins": {
"multi-auth": {
"auth_plugins": [
{
"basic-auth": {}
},
{
"key-auth":{
"query":"apikey",
"hide_credentials":true,
"header":"apikey"
}
},
{
"forward-auth": {
"uri": "http://my-release-oauth2-proxy:4180/oauth2/auth",
"request_headers": ["Cookie"],
"upstream_headers": ["Cookie"],
"client_headers": ["Location"]
}
}
]
}
},
"upstream": {
"nodes": [
{
"host": "my-release-api-example",
"port": 1234,
"weight": 1
}
],
"type": "ewma",
"scheme": "http",
"pass_host": "pass"
}
}
// Get response from APISIX as:
// {"error_msg":"failed to check the configuration of plugin multi-auth err: forward-auth plugin is not supported"}
There are many workarounds and this is not a blocker. But would be very nice to have.
