adj patterns

ikethecoder · ikethecoder · commit cb2b9d46b0c1 · 2025-09-25T14:23:07.000-07:00
diff --git a/microservices/gatewayApi/patterns/sdx/application_r1.py b/microservices/gatewayApi/patterns/sdx/application_r1.py
@@ -67,7 +67,7 @@
           origins: ["*"]
           methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"]
           headers: ["Accept", "Accept-Version", "Content-Length", "Content-Type", "Authorization", "X-Client-Id", "X-Sdx-Ap-Sign"]
-                    
+
       - name: oidc
         tags: [ns.${gateway}.${ns_qualifier}]
         enabled: true
@@ -89,17 +89,6 @@
           disable_userinfo_header: "yes"
           disable_id_token_header: "yes"
 
-      - name: openid-authzen
-        tags: [ns.${gateway}.${ns_qualifier}]
-        enabled: true
-        config:
-          # lua_ssl_trusted_certificate has to have the CA's - otherwise "unable to get local issuer certificate"
-          target_url: https://ping.api.gov.bc.ca
-          json_locator: []
-          # subject_claim: "sub"
-          # resource_type: "service_name|route_name|uri_path"
-          # action_name: "read"
-
       - name: kong-upstream-jwt
         tags: [ns.${gateway}.${ns_qualifier}]
         enabled: true
@@ -116,7 +105,7 @@
           add:
             headers:
               - "X-Client-Id:${consumer_uri}"
-                    
+
       # - name: oidc
       #   tags: [ns.gw-0a524]
       #   enabled: true
diff --git a/microservices/gatewayApi/patterns/sdx/service_r1.py b/microservices/gatewayApi/patterns/sdx/service_r1.py
@@ -18,6 +18,16 @@
     retries: 0
     tls_verify: false
     plugins:
+      - name: mtls-auth
+        tags: [ns.${gateway}.${ns_qualifier}]
+        config:
+          error_response_code: 401
+          upstream_cert_cn_header: "X-CERT-CN"
+          upstream_cert_fingerprint_header: "X-CERT-FINGERPRINT"
+          upstream_cert_i_dn_header: "X-CERT-I-DN"
+          upstream_cert_s_dn_header: "X-CERT-S-DN"
+          upstream_cert_serial_header: "X-CERT-SERIAL"
+
       - name: rate-limiting
         tags: [ns.${gateway}.${ns_qualifier}]
         enabled: true
@@ -65,6 +75,17 @@
           disable_userinfo_header: "yes"
           disable_id_token_header: "yes"
 
+      - name: openid-authzen
+        tags: [ns.${gateway}.${ns_qualifier}]
+        enabled: true
+        config:
+          # lua_ssl_trusted_certificate has to have the CA's - otherwise "unable to get local issuer certificate"
+          target_url: https://ping.api.gov.bc.ca
+          json_locator: []
+          # subject_claim: "sub"
+          # resource_type: "service_name|route_name|uri_path"
+          # action_name: "read"
+                    
     routes:
       - name: ${service_name}.OPTIONS
         tags: [ns.${gateway}.${ns_qualifier}, sdx]
