Home / Kong Gateway
Edit
Report

OpenID Connect with Kong Gateway

All Gateway Documentation

OpenID Connect (OIDC) is a standard built on top of OAuth and JWT (JSON Web Token). It provides authentication and authorization, letting you connect Kong Gateway to an identity provider (IdP), where the system you interact with can determine who you are and give you access to the correct resources.

Kong Gateway provides an OpenID Connect plugin with support for a large variety of auth flows and grants. With this plugin, you can leverage an IdP for both authentication and authorization without having to manage consumers or groups in Kong Gateway. This allows you to provide secure developer access without additional operational overhead and risk.

The OIDC plugin also includes session management and support for the Financial-Grade API (FAPI) standard.

Get started with OIDC

Try the authorization code flow

The authorization code flow is one of the most commonly used workflows with OpenID Connect.

Set it up with Keycloak as a sample identity provider (IdP) to test out the OIDC plugin.

Configure your first OIDC implementation →

Review supported authentication flows and grants

Learn about the authentication options that the OIDC plugin supports, and choose the one that suits your use case.

Learn about supported flows and grants →

OpenID Connect

Integrate Kong Gateway with a third-party OpenID Connect provider

See plugin →

Authentication flows and grants

Authentication flow or grant

Description

Plugin example configuration

How-to guide
Authorization Code flow In an Authorization Code flow, clients exchange an authorization code for an access token.

Workflow diagram → 		Authorization Code flow example OpenID Connect and Keycloak with the auth code flow
Session authentication The OpenID Connect plugin can issue a session cookie for session authentication, which you can retrieve using any other supported flow or grant.

Workflow diagram → 		Session auth flow example OpenID Connect and Keycloak with session authentication
Client Credentials grant With the Client Credentials grant, clients can get an access token by providing a client ID and client secret to an IdP.

Workflow diagram → 		Client Credentials grant example OpenID Connect and Keycloak with the client credentials grant
JWT Access Token authentication When a user authenticates and authorizes access, the IdP sends a JWT access token, which can be passed as a credential to the upstream service.

Workflow diagram → 		JWT Access Token auth example OpenID Connect and Keycloak with the JWT access token flow
Kong OAuth Token authentication The OpenID Connect plugin can verify the tokens issued by the OAuth 2.0 plugin, then use them for authentication.

Workflow diagram → 		Kong OAuth Token auth example OpenID Connect and Keycloak with the Kong Oauth2 plugin
Introspection authentication Validates an access token against the IdP introspection endpoint before passing the token as a credential to the upstream service.

Workflow diagram → 		Introspection auth flow example OpenID Connect and Keycloak with introspection auth
User Info authentication Validates an access token against the IdP user info endpoint before passing the token as a credential to the upstream service.

Workflow diagram → 		User Info auth example OpenID Connect and Keycloak with user info auth
Refresh Token grant When the client has a refresh token available, the IdP can refresh an expired token and replace it with a new one without user interaction.

Workflow diagram → 		Refresh Token grant example OpenID Connect and Keycloak with the client credentials grant
Password grant With the Password grant, clients can get an access token by providing a username and password to an IdP.

Workflow diagram → 		Password grant example OpenID Connect and Keycloak with the password grant

Authorization methods

Authorization method

Description

Plugin example configuration

How-to guide
Claims-based authorization Claims-based authorization uses a pair of options to manage claims verification during authorization. These pairs can be based on scopes, audience, groups, or roles claims.

Learn more about claims-based auth pairs in the OpenID Connect plugin documentation. 		Claims-based authorization example OpenID Connect and Keycloak with claims-based authorization
ACL-based authorization You can integrate the OpenID Connect plugin with the ACL plugin, which provides access control functionality in the form of allow and deny lists. ACL-based authorization example OpenID Connect and Keycloak with the ACL plugin
Consumer-based authorization You can use Kong Gateway Consumers for authorization and to dynamically map claim values to Consumers. Consumer-based authorization example OpenID Connect and Keycloak with Consumers

Examples with other supported IdPs

Auth0

Set up OIDC with Auth0 →

Amazon Cognito

Set up OIDC with Cognito →

Azure AD

Set up OIDC with Azure AD →

Curity Identity Server

Set up OIDC with Curity →

Google

Set up OIDC with Google →

Okta

Set up OIDC with Okta →

References

Financial-grade API

The OpenID Connect plugin supports various features of the FAPI standard, aimed to protect APIs that expose high-value and sensitive data.

See all supported features →

Debugging the OpenID Connect plugin

Learn how to debug the OIDC plugin configuration.

Debugging OIDC →

Supported identity providers

The plugin has been tested with several OpenID Connect providers.

See all tested identity providers →

How-to guides

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support