I'm trying to use Kong as API Gateway with a custom authentication service to authenticate all users for all services in the upstream.

At the beginning I'll use my custom authentication service, but the solution can be using Keycloak or AWS Cogito.

1 - Can Kong redirect all unauthenticated requests to a specific route (the route for authentication service?)
2 - If Kong can't redirect it, how to authenticate the user before requesting protected routes?
3 - I'll need to use a IAM client library for all my services? For example:
4 - Can Kong check if the requests has a valid JWT token?
5 - The redirect will be called by the IAM library in the service and not in Kong? Is that?