I am trying to configure Kong gateway to conditionally apply plugin when the conditions are met.
The use-case here is that OIDC plugin should be used only when there is no SSL_CLIENT_CERT header, otherwise do not use OIDC and forward header to the upstream application.
This is my sample declarative config file:
_format_version: "2.1"
_transform: true
services:
- name: core
host: core-service
port: 8080
protocol: http
routes:
- name: core_route
strip_path: false
paths:
- /api*
plugins:
- name: request-transformer
config:
rename:
headers:
- SSL_CLIENT_CERT:CERTIFICATE
- name: oidc
config: ...
This will apply request-transformer for all request coming to the service and oidc that will use OIDC protocol for authentication. However, if the SSL_CLIENT_CERT exists, I do not want to go to OIDC.
I was searching for a similar approach and sample configurations, but unsuccessfully.
How to configure this in Kong? Is it possible?
You should be able to run multiple routes for the same path but with different header matches.
The first of those below will match client cert requests, and you may need to ensure that the part after ~* is a regex match all condition:
services:
- name: myapi
url: http://api.example.com
routes:
- name: clientcert
paths:
- /api
headers:
SSL_CLIENT_CERT: ["~*(.*?)"]
plugins:
- name: request-transformer
config: ...
- name: oidc
paths:
- /api
plugins:
- name: oidc
config: ...