Could you elaborate more about this issue? Do you mean a scenario, where there are multiple authentication methods on Kong enabled?

Exactly.
Kong documentation specify a parameter "anonymous" (id of Customer) used to redirect to when the authentification failed.

I need this added as well, here are the docs: https://docs.konghq.com/0.14.x/auth/#multiple-authentication https://docs.konghq.com/0.14.x/auth/#anonymous-access
Basically they have a scheme where you can set all of your authentication plugins to allow anonymous access for a specific consumer (by id) and then you can set the request termination plugin on that consumer. In that scheme, you can "chain" multiple authentication plugins and it will use the first successful plugin used, or if all fail, it will allow the anaymous consumer which will ultimately get blocked by the request termination plugin, thus disallowing unauthorized access.

Spent the morning hacking up a solution, unfortunately we are actively using Kong 14.1 CE, so I tested/developed against that, using Kong 14.1 source code (OAuth2 plugin) as my guide. If desired I can updated it for the latest 1.X. Heres a link to what I did: JakeCodeStuff@f0c573c

Also having this issue.

https://github.com/gbbirkisson/kong-plugin-jwt-keycloak allows this feature.

Check for config.anonymous:

An optional string (consumer uuid) value to use as an “anonymous” consumer if authentication fails. If empty (default), the request will fail with an authentication failure 4xx. Please note that this value must refer to the Consumer id attribute which is internal to Kong, and not its custom_id.

This exact feature is what is missing.

Ok, opened #160

Example configuration:

_format_version: "1.1"
services:
  - name: test-service
    url: http://my-service-endpoint
    plugins:
      - name: oidc
        config:
          client_id: my-client-id
          client_secret: my_client_super_secret
          discovery: https://auth.example.com/auth/realms/master/.well-known/openid-configuration
          anonymous: 996f6f74-4233-4f45-b5ea-9209892facd1
    routes:
      - name: test-route
        paths:
          - /
        preserve_host: true
consumers:
  - username: anonymous_users
    id: 996f6f74-4233-4f45-b5ea-9209892facd1

you get the headers:

x-anonymous-consumer: "true"
x-consumer-id: "996f6f74-4233-4f45-b5ea-9209892facd1"
x-consumer-username: "anonymous_users"

Tested with this dockerfile:

FROM kong:2.0

ENV KONG_PLUGINS=bundled,oidc
ENV KONG_LOG_LEVEL=debug

USER root

RUN apk add --no-cache zip git && \
    luarocks install https://raw.githubusercontent.com/ahoulgrave/kong-oidc/allow-anonymous/kong-oidc-1.1.0-0.rockspec

USER kong

Which you can use until a final solution comes up.

Edit: fixed luarocks install url