The problem seems to be that that since this is a custom plugin, there is nothing found for “auth token”, as there’s no way to specify the auth_header_name for this mode of authenticating. Is that correct, or are we missing a step for specifying the auth header name in this scenario?
We’ve gotten around this issue by setting the key id of the session manually, but want to understand if we missed a step that would have prevented this, or if the non-CoProcess case should be updated to handle metadata[“token”], etc. Also, although this only came up after disabling key hashing, I believe it could still cause problems when hashing, as the key id is still not set in that case. The hash just becomes something like “000000” which is likely not what’s intended for rate limiting.
The problem seems to be that that since this is a custom plugin, there is nothing found for “auth token”, as there’s no way to specify the auth_header_name for this mode of authenticating. Is that correct, or are we missing a step for specifying the auth header name in this scenario?
An auth_header_name is not required when using custom authentication plugins. In this mode, you are free (and expected) to extract whichever header or request component represents authorization directly in the plugin, and then perform validation there.
As a best practice, we recommend including the KeyID in the session object returned by the plugin. This is the identity the gateway uses to track the request, regardless of hashing configuration, and it is useful for tracking, analytics, rate limiting…
However, we recognize this is omitted in the doc sample.
Please note that switching the hashing configuration within the same environment is not recommended, as doing so generally invalidates existing auth keys. If you need to change the configuration, it’s better to start a new environment instead of switching in place.
Please let us know if you have further questions, and you may share your plugin code (or relevant parts of it)