Home / How-to Guides
Edit
Report

Configure OpenID Connect with the authorization code flow

Uses: Kong Gateway deck
Related Documentation
All Gateway Documentation
All decK Documentation
Tags
#authentication #openid-connect
Related Resources
Configure OpenID Connect with the authorization code flow and Okta
OpenID Connect in Kong Gateway
Authentication in Kong Gateway
OpenID Connect authentication flows and grants
Authorization code workflow
OpenID Connect tutorials
Minimum Version
Kong Gateway - 3.4
TL;DR

Using the OpenID Connect plugin, set up the auth code flow to connect to an identity provider (IdP) through a browser, and use session authentication to store open sessions. You can do this by specifying authorization_code and session in the config.auth_methods plugin settings.

Prerequisites

Kong Konnect

This is a Konnect tutorial and requires a Konnect personal access token.

  1. Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Export your token to an environment variable:

     export KONNECT_TOKEN='YOUR_KONNECT_PAT'

  3. Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output

    This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:

     export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
 export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='http://localhost:8000'

    Copy and paste these into your terminal to configure your session.

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

    curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to install decK.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. Run the following command:

    echo '
_format_version: "3.0"
services:
  - name: example-service
    url: http://httpbin.konghq.com/anything
routes:
  - name: example-route
    paths:
    - "/anything"
    service:
      name: example-service
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

Set up Keycloak

This tutorial requires an identity provider (IdP). If you don’t have one, you can use Keycloak. The steps will be similar in other standard identity providers.

Create a client

  1. Install Keycloak (version 26 or later) on your platform.

    For example, you can use the Keycloak Docker image:

     docker run -p 127.0.0.1:8080:8080 \
   -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
   -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
   quay.io/keycloak/keycloak start-dev

  2. Open the admin console.

    The default URL of the console is http://$YOUR_KEYCLOAK_HOST:8080/admin/master/console/.

  3. In the sidebar, open Clients, then click Create client.
  4. Configure the client:

Section

Settings
General settings
  • Client type: OpenID Connect
  • Client ID: any unique name, for example kong
Capability config
  • Toggle Client authentication to on
  • Make sure that Standard flow, Direct access grants, and Service accounts roles are checked.
Login settings Valid redirect URIs: http://localhost:8000/*

Set up keys and credentials

  1. In your client, open the Credentials tab.
  2. Set Client Authenticator to Client ID and Secret.
  3. Copy the Client Secret.
  4. Switch to the Users menu and add a user.
  5. Open the user’s Credentials tab and add a password. Be sure to disable Temporary Password.

In this guide, we’re going to use an example user named alex with the password doe.

Export to environment variables

Export your client secret, client ID, and issuer URL to environment variables so that you can pass them more securely. For example:

export DECK_ISSUER="http://host.docker.internal:8080/realms/master"
export DECK_CLIENT_ID="kong"
export DECK_CLIENT_SECRET="UNT3GPzCKI7zUbhAmFSUGbj4wmiBDGiW"

export DECK_ISSUER="http://host.docker.internal:8080/realms/master"
export DECK_CLIENT_ID="kong"
export DECK_CLIENT_SECRET="UNT3GPzCKI7zUbhAmFSUGbj4wmiBDGiW"

Enable the OpenID Connect plugin with the auth code flow

Using the Keycloak and Kong Gateway configuration from the prerequisites, set up an instance of the OpenID Connect plugin with the auth code flow and session authentication.

Enable the OpenID Connect plugin on the example-service Service:

echo '
_format_version: "3.0"
plugins:
  - name: openid-connect
    service: example-service
    config:
      issuer: "${{ env "DECK_ISSUER" }}"
      client_id:
      - "${{ env "DECK_CLIENT_ID" }}"
      client_secret:
      - "${{ env "DECK_CLIENT_SECRET" }}"
      client_auth:
      - client_secret_post
      auth_methods:
      - authorization_code
      - session
      response_mode: form_post
      preserve_query_args: true
      login_action: redirect
      login_tokens: 
      authorization_endpoint: http://localhost:8080
' | deck gateway apply -

In this example:

  • issuer, client ID, client secret, and client auth: Settings that connect the plugin to your IdP (in this case, the sample Keycloak app).
  • auth_methods: Specifies that the plugin should use session auth and the authorization code flow.
  • response_mode: Set to form_post so that authorization codes won’t get logged to access logs.
  • preserve_query_args: Preserves the original request query arguments through the authorization code flow redirection.
  • login_action: Redirects the client to the original request URL after the authorization code flow. This turns the POST request into a GET request, and the browser address bar is updated with the original request query arguments.
  • login_tokens: Configures the plugin so that tokens aren’t included in the browser address bar.
  • authorization_endpoint: Sets a custom endpoint for authorization, overriding the endpoint returned by discovery through the IdP. We need this setting because we’re running the example through Docker, otherwise the discovery endpoint will try to access an internal Docker host.

Validate authorization code login

Access the Route you configured in the prerequisites with some query arguments. In a new browser tab, navigate to the following:

http://localhost:8000/anything?hello=world

The browser should be redirected to the Keycloak login page.

Let’s check what happens if you access the same URL using cURL:

 curl -i -X GET "$KONNECT_PROXY_URL/anything?hello=world"

 curl -i -X GET "http://localhost:8000/anything?hello=world"

You should see a 302 response with the session access token in the response, and a Location header that shows where the request is being redirected to.

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d

FAQs

How do I enable the Proof Key for Code Exchange (PKCE) extension to the authorization code flow in the OIDC plugin?

The OIDC plugin supports PKCE out of the box, so you don’t need to configure anything. When config.auth_methods is set to authorization_code, the plugin sends the required code_challenge parameter automatically with the authorization code flow request.

If the IdP connected to the plugin enforces PKCE, it will be used during the authorization code flow. If the IdP doesn’t support or enforce PCKE, it won’t be used.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support