Howdy
I have a question about the Chained Auth allowed in the API for 2.3.
Is this an “AND” or a “OR” setup?
The way I read it right now its an AND meaning you would need JWT and AuthToken. Im actually looking for an “OR” solution, at accept APIToken keys or a JWT for the same API.
It looks like with 2.3 I can do on my own with a CustomKeyCheck plugin if necessary, but im just looking to see whats supported out of the box.
Thanks
-=Brian
It’s AND, they run consecutively (and can interfere with one another)
We may in future add a setting in future to have it so that any one of the auth MW can authenticate the user.
I had the same question when reading https://tyk.io/docs/security/your-apis/multiple-auth/
Especially the term “chained” indicates that all auth middlewares have to pass. However, it’s still not 100% clear. Especially when what you need is the exact opposite.
I wonder how to publish an API in a way that users can either use a token or a JWT (from OpenID Connect) for authentication.
They are all required to pass