Differ between rest endpoints using external authentication and no authentication

[creib]

Hi,
we are using the external-auth policy for our Rest API Services. We have two cases where we do not want authentication.

1. OPTIONS and HEAD request should not be authenticated, POST PUT DELETE and GET should be authenticated.
2. We have REST API Services which contain methods which should be protected by central authentication and some services have methods which should be open accessible.

At the moment we are able to solve this by defining multipe HTTPRoute definitions. I.e. a separate definition for OPTION and HEAD requests, a separate definition for POST PUT DELETE and GET requests and so on. By this, we are able to bind the one definition to the external-auth policy but not the other one.

Is there another way to do this without ending up in multiple HTTPRoute definitions for one Service?

Thanks for you help.

[arkodg]

your current implementation is the current workaround until #4085 is implemented which should allow you to define all rules within a single HTTPRoute and then attach a policy to a rule

[creib]

Great news! Thanks a lot.