A common use case that is frequently requested is how to dynamically route requests based on authentication attributes. An example of this technique is routing requests to relevant upstream services based on claims contained in a JWT token.
Admins would like all their clients to go to the same URI as it makes the implementation easier. But behind the scenes they might need to tailor specific configuration/applications for them, hence routing their request based on their identity.
Kong Gateway is typically ran with a set of ancillary services, including a backend datastore, [Kong Manager](https://docs.konghq.com/gateway/latest/kong-manager/)Kong Manager, [Analytics](https://docs.konghq.com/gateway/latest/kong-enterprise/analytics/#:~:text=Use%20Kong%20Vitals%20(Vitals)%20to,APIs%20and%20Gateway%20are%20performing.)Analytics, and [Developer Portal](https://docs.konghq.com/gateway/latest/kong-enterprise/dev-portal/)Developer Portal. Traditionally, users of Kong Gateway have been required to self host these additional services to experience the full capabilities of the Kong platform.
In this post, we’ll use [Kong Konnect](https://konghq.com/products/cloud-api-platform)Kong Konnect, the new Kong SaaS API platform. Konnect hosts the Kong platform’s management capabilities (backend datastore, Kong Manager, Analytics, Developer Portal, and more) in a multi-cloud environment. This frees the customer from managing these ancillary services and allows them to focus on hosting the data planes (aka, proxy runtimes) and building their business logic.
As we’ve seen in [a previous blog post](https://konghq.com/blog/how-to-dynamically-route-requests-with-kong-enterprise)a previous blog post, Kong thrives in routing requests dynamically. However, in this post, we’ll take things a step further by dynamically routing requests based on the authentication process.
While we’re going to be covering everything using Konnect, it’s important to highlight that you can use the same procedure below in your own self-managed environment, as the same configuration applies to all deployments.
To start, let’s outline the prerequisites:
*Figure 1*
For our example use case, we are managing a banking application that serves different bank's customers.
In my example , all customers go to the same service address (http://kong.bankingservice.com) which is basically a DNS entry where the Kong service resides. Within Kong we will have the following configured:
During our demo, we will show how we can route 2 requests that sent to the same route to 2 different paths based on authentication properties.
For our use case, we will use the authentication mechanism to determine which path needs to be used, based on the JWT claims of the authenticated user. The claim we’ll use will be labeled “bank”. An architectural diagram of the scenario is shown below:
Here is an example of a JWT token. The “bank” attribute contains the information we will use to route the request.
To make things easier to identify, we’ll create a simple web application that will just print the path of the requested URL. This will allow us to see where exactly the user has been redirected.
To make things as simple as possible, we’ll use a simple python script that creates a web server and prints the path. This python script is shown below:
#!/usr/bin/env python3
"""
Very simple HTTP server in python for logging requests
Usage::
./server.py [<port>]
"""
from http.server import BaseHTTPRequestHandler, HTTPServer
import logging
import re
class S(BaseHTTPRequestHandler):
def _set_response(self):
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
def do_GET(self):
logging.info("GET request,\nPath: %s\nHeaders:\n%s\n", str(self.path), str(self.headers))
self._set_response()
bank = str(self.path).split('/')[-1].split('?')[0]
self.wfile.write( """<html>
<head>
<title>Title</title>
</head>
<body>
<h2>Welcome To {bank} Bank</h2>
<p>Complete path is {self.path} </p>
</body>
</html>""".format(**locals()).encode('utf-8'))
def run(server_class=HTTPServer, handler_class=S, port=8080):
logging.basicConfig(level=logging.INFO)
server_address = ('', port)
httpd = server_class(server_address, handler_class)
logging.info('Starting httpd...\n')
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
logging.info('Stopping httpd...\n')
if __name__ == '__main__':
from sys import argv
if len(argv) == 2:
run(port=int(argv[1]))
else:
run()To test our app , we can just run it:
./http.server.py 8080
INFO:root:Starting httpd...Once the app is running, we can look at our browser (with the address of the local server) to see how it works:
So as we haven’t put our application behind Kong and the OIDC authentication, there is no bank name yet.
To bulk load the Kong configuration, we will use a tool called decK, which will enable us to configure our complete setup with just one call.
For our use case, the declarative file (demo-deployment.yaml) looks as follows:
_format_version: "1.1"
_info:
defaults: {}
select_tags:
- bank-demo-service
_konnect:
runtime_group_name: <your konnect runtime group>
services:
- connect_timeout: 60000
enabled: true
host: <host of your service>
name: bank-demo-service
path: /bank
port: 8080
protocol: http
read_timeout: 60000
retries: 5
tags:
- bank-demo-service
write_timeout: 60000
plugins:
- name: request-transformer-advanced
config:
replace:
uri: /bank/$(headers['bank'])
- name: openid-connect
config:
issuer: <your issuer config path>
client_id:
- <your client id>
client_secret:
- <client secret>
ssl_verify: false
redirect_uri:
- http://<your GW address>/bank/*
upstream_headers_claims:
- bank
upstream_headers_names:
- bank
routes:
- name: bank-demo-route
service:
name: bank-demo-service
paths:
- /bank
strip_path: trueThere are a couple of notes to highlight from our YAML file:
To completely configure the gateway, we need one simple decK command:
deck sync --konnect-addr https://us.api.konghq.com --konnect-email <your konnect email> --konnect-token <konnect personal access token> --konnect-runtime-group-name <your runtime group> --state demo-deployment.yamlFor additional info on how to use decK with our Konnect Cloud offer, you can follow [Kong's official documentation](https://docs.konghq.com/deck/latest/guides/konnect/)Kong's official documentation.
If we want to take a look on how this implementation looks in konnect UI:
Now, let’s test our application.
When we try to access our service through the runtime instance (in my case running locally on my laptop), we are redirected to keycloak for authentication. The first user we will try is Bob:
And the result is:
Now lets try with our other user, Suzy:
And the result is similar, but we are redirected to a new URL, as it was expected:
In this blog, we saw how easy it is to leverage Kong in order to create complex dynamic routing based on specific attributes (in this case, JWT token's claims).
All users have the same Login process, and according to their attributes they are routed to the relevant application/path for their service. This makes the maintenance of the deployed application much easier and cleaner.
In this demo, we used Kong’s Konnect (SaaS) which makes deployment and maintenance much easier. As Kong can be deployed in the vast majority of architectures (on-prem, cloud, hybrid, docker, k8s, etc), you can reproduce these capabilities no matter which form you choose.
*Accelerate your journey to microservices, secure and govern APIs and services, and boost developer productivity with Kong Konnect, the easiest way to get started with Kong Enterprise*
[Start a Free Trial >](https://cloud.konghq.com/register)Start a Free Trial >
The JSON Web Token (JWT) is an open standard that allows information to be transferred securely between different parties. The token is digitally signed by using a private key (HMAC) or a public/private key (RSA) by building a JSON Web Signature (JW
[](https://konghq.com/blog/engineering/craft-and-sign-custom-jwt)
As you build and maintain more applications, your authentication strategy becomes increasingly important. It may also be top of mind for your boss since technology leaders cited "improve application security" as one of their top priorities in this y
[](https://konghq.com/blog/engineering/jwt-kong-gateway)
Traditional agreement processes were slow and heavily manual. Documents were often created in office tools, shared through email, printed, signed physically, and stored across multiple systems. Tracking the status of agreements required manual follo
[](https://konghq.com/blog/engineering/automating-agreement-workflows-kong-konnect-and-docusign-for-developers)
Architecture Overview A multicloud DCGW architecture typically contains three main layers. 1\. Konnect Control Plane The SaaS control plane manages configuration, plugins, and policies. All gateways connect securely to this layer. 2\. Dedicated C
[](https://konghq.com/blog/engineering/dedicated-cloud-gateways-managed-redis-multi-cloud)
Tool discovery for AI agents In early agent implementations, tools are often statically configured inside the agent. For example: { "mcpServers": { "weatherServer": { "command": "uv", "args": "run", "weather_serv
[](https://konghq.com/blog/engineering/mcp-registry-dynamic-tool-discovery)
In today's digital landscape, APIs are the backbone of modern applications, and AI is the engine of innovation. As organizations increasingly rely on microservices and AI-powered features, the API gateway has become the critical control point for man
[](https://konghq.com/blog/engineering/prisma-airs-kong-ai-gateway)
The goal of Integration Platform as a Service (iPaaS) is to simplify how companies connect their applications and data. The promise for the first wave of iPaaS platforms like Mulesoft and Boomi was straightforward: a central platform where APIs, sys
[](https://konghq.com/blog/engineering/kong-and-polyapi)