For reference: My use-case seems to be very similar to the one of this discussion:
The only difference is, that I want to accept any Authorization-header value as valid, instead of requesting an external auth server.
I think all of this is unnecessarily complicated and the documentation is lacking in a lot of places (like auth-plugins; what exactly the id_extractor is used for, etc.). I really like the tyk-gateway, but a lot of functionality can only be understood by looking at the code. Only by looking at the code I found out about auth-plugins (otto_auth_mw_example.js) and their limitations (for example, when adding “apply_policy_id” to the session created by the auth-plugin, the policy doesn’t seem to be applied).
Also, it isn’t clear to me when I should use a pre-plugin combined with an existing middleware like mw_auth_key.go or when I should use a non-documented auth-plugin (like the example in otto_auth_mw_example.js). The discussion liked above seems to end by preferring the pre-plugin, but it is not really clear to me why.
Even when looking at the code, it is poorly commented and some code seems to be duplicated: For example, compare the function “generateSessionFromPolicy()” of mw_jwt.go with the function ApplyPolicyIfExists() of handler_success.go.
I know writing documentation isn’t fun, but i think this is the most lacking aspect of Tyk.