Search code examples
apiopenid-connectgatewaykongkong-plugin

Kong conditionally apply plugin for the service and route


I am trying to configure Kong gateway to conditionally apply plugin when the conditions are met.

The use-case here is that OIDC plugin should be used only when there is no SSL_CLIENT_CERT header, otherwise do not use OIDC and forward header to the upstream application.

This is my sample declarative config file:

_format_version: "2.1"
_transform: true

services:
- name: core
  host: core-service
  port: 8080
  protocol: http
  routes:
  - name: core_route
    strip_path: false
    paths:
    - /api*
  plugins:
  - name: request-transformer
    config:
      rename:
        headers:
        - SSL_CLIENT_CERT:CERTIFICATE
  - name: oidc
    config: ...

This will apply request-transformer for all request coming to the service and oidc that will use OIDC protocol for authentication. However, if the SSL_CLIENT_CERT exists, I do not want to go to OIDC.

I was searching for a similar approach and sample configurations, but unsuccessfully.

How to configure this in Kong? Is it possible?


Solution

  • You should be able to run multiple routes for the same path but with different header matches.

    The first of those below will match client cert requests, and you may need to ensure that the part after ~* is a regex match all condition:

    services:
    - name: myapi
      url: http://api.example.com
      routes:
      
      - name: clientcert
        paths:
        - /api
        headers:
          SSL_CLIENT_CERT: ["~*(.*?)"]
        plugins:
        - name: request-transformer
          config: ...
    
      - name: oidc
        paths:
        - /api
        plugins:
        - name: oidc
          config: ...