Krakend Multiple Authorization Methods

Question

I have an application that exposes a few endpoints which, for backward compatibility purposes, support both JWT and Basic Authorization methods.

Recently we have decided to use KrakenD as the API Gateway for this application, now I have an issue with the authorization of the mentioned endpoints. I use auth/validator plugin for JWT validation and it works fine. But I'm looking for a way to bypass it when it fails and proxy the request directly to the application to use Basic Auth on the application side.

I had an idea about writing a plugin for KrakenD to decide whether the Authorization header is a Basic or Bearer and then decide what to do with the request, or else to see if the JWT validation has failed and then proxy the request to the backend. I wasn't able to do any of those, so I'm looking for new ideas or an already existing solution for this.

Answer 1

While KrakenD does not support failover strategies for authentication by default, one of its main advantages is its extensibility, allowing you to implement any custom logic that you need.

In your case, you could consider configuring two "internal" endpoints, one for JWT-based authentication and another for Basic Auth. Then, create a third endpoint with a Lua script. This script would first try to authenticate the request via JWT. If it fails (with a status code 401), it could then try to authenticate the request using Basic Auth.

This way, you're essentially creating your own failover strategy.

You could also implement this logic with a custom Golang plugin for better performance.

You can find more information about how to implement Lua scripts in KrakenD at https://www.krakend.io/docs/endpoints/lua/#making-additional-requests-http_response

For more information about how to code golang plugins in KrakenD, you can read https://www.krakend.io/docs/extending/

Also, important to notice that Basic Auth is a feature included only in KrakenD Enterprise.