Sn0rt commented on issue #9233: URL: https://github.com/apache/apisix/issues/9233#issuecomment-1504974971
> > If a business system is configured with authentication and the authentication module is down, it is expected that the business system will refuse user authentication. > > This is different from cache optimization performance such as redis. > > @Sn0rt I totally agree with you. However, in some security detection scenarios, this is not mandatory. For example, we send the request to the security detection server through the `forward-auth` plug-in to achieve the effect of enhanced security. If the security detection server is unavailable, services are not affected. / got it. in some internal service security is not mandatory. if the forward-auth support `degradation` config and the `degradation` has been set as `true`. it will pass if the authentication server has no obvious rejection (include auth server down), and only reject the authentication when specifying to return the http status code of 4xx. Is this what you mean ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
