backend authentication in 2 stages

Peter Schulz

unread,

Oct 27, 2025, 5:31:57 AMOct 27

to KrakenD Community

Hi all,
is it possible to request from an backend the authentication in 2 stages?
First stage is an basicauth and the 2nd stage is a bearer token which was the answer from the first stage.
The bearer token is always only valid for 300s, thats why i need to request it with the basic auth
i have the single stages working like below:
First stage: "backend": [ { "host": [ "https://api.com" ], "url_pattern": "/authenticate", "extra_config": { "modifier/martian": { "header.Modifier": { "scope": ["request"], "name": "Authorization", "value": "Basic XXXXXXXXX"}}}}]2nd stage: "backend": [ { "host": [ "https://api.com" ], "url_pattern": "/query", "extra_config": { "modifier/martian": { "header.Modifier": { "scope": ["request"], "name": "Authorization", "value": "Bearer XXXXXXX"}}}}]

Daniel Ortiz

unread,

Oct 28, 2025, 7:48:51 AMOct 28

to Peter Schulz, KrakenD Community

Hi Peter,

Try with the client-credentials feature to see if it fits with your use case.

Best regards,

	Daniel Ortiz CIO

Confidentiality Notice: This email, including any attachments, may contain confidential and privileged information for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender immediately and destroy all copies of this email. Thank you. This email has been sent in accordance with the European Union General Data Protection Regulation (EU GDPR).

--
You received this message because you are subscribed to the Google Groups "KrakenD Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to community+...@krakend.io.
To view this discussion visit https://groups.google.com/a/krakend.io/d/msgid/community/5a29c576-9381-4388-a72f-4e40f9a05c6fn%40krakend.io.

Peter Schulz

unread,

Nov 3, 2025, 1:19:10 PMNov 3

to KrakenD Community, Daniel Ortiz, KrakenD Community, Peter Schulz

Hi Daniel,

thanks for the answer and hint.

I tried with the example provided in the documentation, but i get always "invalid credentials" in the krakend logs.

I am using this config:

{
"version": 3,
"client_tls": {
"allow_insecure_connections": true
},
"name": "Bearer Token Proxy Gateway",
"endpoints": [
{
"endpoint": "/secure-data",
"method": "GET",
"output_encoding": "json",

"backend": [
{
"host": [
"https://api.com"
],

"url_pattern": "/?pretty=true",
"extra_config": {
"auth/client-credentials": {
"client_id": "user",
"client_secret": "secret",
"token_url": "api.com/security/user/authenticate?raw=true"
}
}
}
]
}
]
}

Peter Schulz

unread,

Nov 5, 2025, 9:54:10 AMNov 5

to KrakenD Community, Peter Schulz, Daniel Ortiz, KrakenD Community

i also trying to do this with the sequential backend function.

First sequence is working and i see the token when i do the curl to the endpoint.

But the second sequence is not working and i am not sure if i parse correctly the token

{
"version": 3,
"client_tls": {
"allow_insecure_connections": true
},
"name": "Bearer Token Proxy Gateway",
"endpoints": [
{
"endpoint": "/secure-data",

"extra_config": {
"proxy": {
"sequential": true,
"sequential_propagated_params": ["resp0"]
}
},
"method": "GET",

"backend": [
{
"host": [
"https://api.com"
],

"url_pattern": "/security/user/authenticate?raw=true",
"extra_config": {
"modifier/lua-backend": {
"allow_open_libs": true,
"pre": "local req = request.load(); req:headers('Authorization','Basic XXXXXXX=')"
}
}

},
{
"host": [
"https://api"

],
"url_pattern": "/?pretty=true",
"extra_config": {

"modifier/lua-backend": {
"allow_open_libs": true,
"pre": "local req = request.load(); req:headers('Authorization','Bearer .. \"Resp0_data.token\"')"
}
}

}
]
}
]
}

Reply all

Reply to author

Forward