[KONG 2.0.1] Multiple authentication - no consumer check between plugins

[Smoke-0]

Summary

In our project we are using two authentication plugins globally (Key Authentication and JWT) and ACL plugin on routes to whitelist authorized consumer-groups.

When providing mismatching (but valid) authentication credentials, the consumer is identified improperly, therefore assigned to improper consumer-group and in the end - allowed access to APIs he should not reach.

Example:
If I use apikey from one consumer and bearer token from different one I am allowed to access, and the consumer is assigned based on apikey as key-auth is processed later (with lower priority). Expected - as the authentication credentials don't match the same consumer no access should be granted.

Steps To Reproduce

1. Configure JWT and Key Authorization plugins globally.
2. Configure two consumer-groups "allowed" and "restricted"
3. Create two consumers:
   A. Consumer with apikey_A and token claim token_A belonging to group "allowed"
   B. Consumer with apikey_R and token claim token_R belonging to group "restricted"
4. Create route with acl plugin having "allowed" group whitelisted.
5. Call the route providing apikey_A and token_R.

Additional Details & Logs

• Kong version 2.0.1 CE

[Tieske]

see note 2

[Smoke-0]

Thank you @Tieske, I've seen it before, but it doesn't mention anything about ACL behavior. Should we treat it as proper ? It kind of kills the idea of multiple authentication layers, as only the final one decides on consumer identity and it hinders acl whitelisting/blacklisting.

Also it seems a security concern, as we do not need both a valid token and apikey for the consumer - if someone uses proper apikey and ANY valid token (some are more easily issued than others) he can get access to restricted APIs.