Hi,
I encounter exactly the same problem as @richardolsson. An API with some secure paths and some not.
With “Auth authoken” authentication, setting up the workaround is quite simple. On the other hand, when the API is secured through OIDC it requires a lot of effort:
- create and sign a JWT token with a long life so that it doesn’t expire. Position a custom issuer into the token. This token is added in the Authorization header (point 5 of your workaround)
- create a mock API to expose .well-known / openid-configuration urls and JWKS information
- configure the workaround you described above
It works, but it’s very expensive.
Is it planned in the roadmap to support out of the box API with secure paths and some not ?