Replies: 1 comment
-
@CodemanXD This could also be a security feature enabled by default in your API client (Postman). Some API clients (Insomnia for instance as I learned it today) remove the To really figure out if the problem comes from Kong or your API client, you could do: curl -L --location-trusted \
--url <YOUR_URL_TO_TEST> \
--header 'Authorization: <YOUR_AUTH_HEADER>' |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I've been looking for a solution to an issue I've been trying to solve. Every time I send a bearer JWT via the
authorization
header, say via Postman, theauthorization
header is not forwarded to the upstream service (an API in Kubernetes).I've noticed this without an auth plugin, and with one, specifically the JWT plugin. The plugin does what I need it to, and I've found that opting to use the
proxy-authorization
header does allow the JWT to be forwarded to the API (which the API needs for RBAC logic).So while I have a workaround, my question is: why does Kong appear to remove the
authorization
header? Is it to keep upstream services from accessing auth since that should be managed by Kong? I would like to know if there's any particular reason so I can document the process going forward.Beta Was this translation helpful? Give feedback.
All reactions