curl -i -X GET "$KONNECT_PROXY_URL/anything" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $ACCESS_TOKEN"
Copied!
Configure the Upstream OAuth plugin with Kong Identity
Incompatible with
on-prem
Related Documentation
Tags
TL;DR
Create a Kong Identity auth server, scope, claim, and client. Configure the Upstream OAuth plugin with your token endpoint, client ID, client secret, and scope. Generate a client token by sending a POST request to $ISSUER_URL/oauth/token and use the access token in a header when you send a request to a protected Gateway Service.
Prerequisites
Kong Konnect
This is a Konnect tutorial and requires a Konnect personal access token.
-
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT'Copied! -
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-outputCopied!This sets up a Konnect Control Plane named
quickstart, provisions a local Data Plane, and prints out the following environment variable exports:export DECK_KONNECT_TOKEN=$KONNECT_TOKEN export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com export KONNECT_PROXY_URL='http://localhost:8000'Copied!Copy and paste these into your terminal to configure your session.
decK v1.43+
decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial, install decK version 1.43 or later.
This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance.
We recommend upgrading your decK installation to take advantage of this tool.
You can check your current decK version with deck version.
Required entities
For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:
-
Run the following command:
echo ' _format_version: "3.0" services: - name: example-service url: http://httpbin.konghq.com/anything routes: - name: example-route paths: - "/anything" service: name: example-service ' | deck gateway apply -Copied!
To learn more about entities, you can read our entities documentation.
Create an auth server in Kong Identity
Before you can configure the authentication plugin, you must first create an auth server in Kong Identity. We recommend creating different auth servers for different environments or subsidiaries. The auth server name is unique per each organization and each Konnect region.
Create an auth server using the /v1/auth-servers endpoint:
curl -X POST "https://us.api.konghq.com/v1/auth-servers" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN"\
-H "Content-Type: application/json" \
--json '{
"name": "Appointments Dev",
"audience": "http://myhttpbin.dev",
"description": "Auth server for the Appointment dev environment"
}'
Copied!
Export the auth server ID and issuer URL:
export AUTH_SERVER_ID='YOUR-AUTH-SERVER-ID'
export ISSUER_URL='YOUR-ISSUER-URL'
Copied!
Configure the auth server with scopes
Configure a scope in your auth server using the /v1/auth-servers/$AUTH_SERVER_ID/scopes endpoint:
curl -X POST "https://us.api.konghq.com/v1/auth-servers/$AUTH_SERVER_ID/scopes" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN"\
-H "Content-Type: application/json" \
--json '{
"name": "my-scope",
"description": "Scope to test Kong Identity",
"default": false,
"include_in_metadata": false,
"enabled": true
}'
Copied!
Export your scope ID:
export SCOPE_ID='YOUR-SCOPE-ID'
Copied!
Configure the auth server with custom claims
Configure a custom claim using the /v1/auth-servers/$AUTH_SERVER_ID/claims endpoint:
curl -X POST "https://us.api.konghq.com/v1/auth-servers/$AUTH_SERVER_ID/claims" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN"\
-H "Content-Type: application/json" \
--json '{
"name": "test-claim",
"value": "test",
"include_in_token": true,
"include_in_all_scopes": false,
"include_in_scopes": [
"'$SCOPE_ID'"
],
"enabled": true
}'
Copied!
You can also configure dynamic custom claims with dynamic claim templating to generate claims during runtime.
Create a client in the auth server
The client is the machine-to-machine credential. In this tutorial, Konnect will autogenerate the client ID and secret, but you can alternatively specify one yourself.
Configure the client using the /v1/auth-servers/$AUTH_SERVER_ID/clients endpoint:
curl -X POST "https://us.api.konghq.com/v1/auth-servers/$AUTH_SERVER_ID/clients" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN"\
-H "Content-Type: application/json" \
--json '{
"name": "Client",
"grant_types": [
"client_credentials"
],
"allow_all_scopes": false,
"allow_scopes": [
"'$SCOPE_ID'"
],
"access_token_duration": 3600,
"id_token_duration": 3600,
"response_types": [
"id_token",
"token"
]
}'
Copied!
Export your client secret and client ID:
export CLIENT_SECRET='YOUR-CLIENT-SECRET'
export CLIENT_ID='YOUR-CLIENT-ID'
Copied!
Configure the Upstream OAuth plugin
You can configure the Upstream OAuth plugin to use Kong Identity as the identity provider for your Gateway Services. In this example, you’ll apply the plugin to the control plane globally, but you can alternatively apply it to a Gateway Service.
First, get the ID of the quickstart control plane you configured in the prerequisites:
curl -X GET "https://us.api.konghq.com/v2/control-planes?filter%5Bname%5D%5Bcontains%5D=quickstart" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN"
Copied!
Export the control plane ID:
export CONTROL_PLANE_ID='YOUR-CONTROL-PLANE-ID'
Copied!
Enable the Upstream OAuth plugin globally:
curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/core-entities/plugins/" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN"\
-H "Content-Type: application/json" \
--json '{
"name": "upstream-oauth",
"config": {
"oauth": {
"token_endpoint": "'$ISSUER_URL'/oauth/token",
"grant_type": "client_credentials",
"client_id": "'$CLIENT_ID'",
"client_secret": "'$CLIENT_SECRET'",
"scopes": [
"Scope"
]
},
"behavior": {
"upstream_access_token_header_name": "Authorization"
}
}
}'
Copied!
Generate a token for the client
The Gateway Service requires an access token from the client to access the Service. Generate a token for the client by making a call to the issuer URL:
curl -X POST "$ISSUER_URL/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=$CLIENT_ID" \
-d "client_secret=$CLIENT_SECRET" \
-d "scope=my-scope"
Copied!
Export your access token:
export ACCESS_TOKEN='YOUR-ACCESS-TOKEN'
Copied!
Access the Gateway Service using the token
Access the example-service Gateway Service using the short-lived token generated by the authorization server from Kong Identity:
FAQs
Can I retrieve my client’s secret again?
No, the secret is only shared once when the client is created. Store it securely.