Nice to meet you all.
Due to some interop requirements with a third-party app, I have designed an API as follows:
- POST /v1beta1/stores (no Bearer auth required, an alternative mechanism is used)
- GET /v1beta1/stores (Bearer auth required)
I’m precious about keeping paths consistent, so I’m wondering what options are available to enforce an origin policy only on the GET method?
I was thinking to split out authenticated and non-authenticated endpoints into different service ports/matching rules, using the policy ports target selector and creating two separate policies. Is this sane? Or am I potentially missing a jwt triggerRules option that can be used for the http method?