Home / How-to Guides
Edit
Report

Configure OpenID Connect with Consumer authorization

Uses: Kong Gateway decK
Related Documentation
All Gateway Documentation
All decK Documentation
Tags
#authorization #openid-connect
Related Resources
OpenID Connect in Kong Gateway
Authentication in Kong Gateway
OpenID Connect authorization options
Consumer authorization in OIDC
OpenID Connect tutorials
Minimum Version
Kong Gateway - 3.4
TL;DR

Use the OpenID Connect plugin with Consumers for authorization and dynamically map claim values to Consumers. This only allows IdP users that have a matching Consumer in Kong Gateway to access your Services, giving you more control over which clients have access to Kong Gateway.

Set up any type of authentication (the password grant, in this guide) and enable Consumer mapping by setting a claim to map to.

Prerequisites

Kong Konnect

This is a Konnect tutorial. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

  1. The following Konnect items are required to complete this tutorial:

    • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
    • Control Plane Name: You can use an existing Control Plane or create a new one to use for this tutorial.
    • Konnect Proxy URL: By default, a self-hosted Data Plane uses http://localhost:8000. You can set up Data Plane nodes for your Control Plane from the Gateway Manager in Konnect.

  2. Set the personal access token, the Control Plane name, the Control Plane URL, and the Konnect proxy URL as environment variables:

     export DECK_KONNECT_TOKEN='YOUR KONNECT TOKEN'
 export DECK_KONNECT_CONTROL_PLANE_NAME='YOUR CONTROL PLANE NAME'
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='KONNECT PROXY URL'

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to install decK.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. Run the following command:

    echo '
_format_version: "3.0"
services:
  - name: example-service
    url: http://httpbin.konghq.com/anything
routes:
  - name: example-route
    paths:
    - "/anything"
    service:
      name: example-service
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

Set up Keycloak

This tutorial requires an identity provider (IdP). If you don’t have one, you can use Keycloak. The steps will be similar in other standard identity providers.

Create a client

  1. Install Keycloak (version 26 or later) on your platform.

    For example, you can use the Keycloak Docker image:

     docker run -p 8080:8080 \
   -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
   -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
   quay.io/keycloak/keycloak start-dev

  2. Open the admin console.

    The default URL of the console is http://$YOUR_KEYCLOAK_HOST:8080/admin/master/console/.

  3. In the sidebar, open Clients, then click Create client.
  4. Configure the client:

Section

Settings
General settings
  • Client type: OpenID Connect
  • Client ID: any unique name, for example kong
Capability config
  • Toggle Client authentication to on
  • Make sure that Standard flow, Direct access grants, and Service accounts roles are checked.
Login settings Valid redirect URIs: http://localhost:8000/*

Set up keys and credentials

  1. In your client, open the Credentials tab.
  2. Set Client Authenticator to Client ID and Secret.
  3. Copy the Client Secret.
  4. Switch to the Users menu and add a user.
  5. Open the user’s Credentials tab and add a password. Be sure to disable Temporary Password.

In this guide, we’re going to use an example user named alex with the password doe.

Export to environment variables

Export your client secret, client ID, and issuer URL to environment variables so that you can pass them more securely. For example:

export DECK_ISSUER=http://host.docker.internal:8080/realms/master
export DECK_CLIENT_ID=kong
export DECK_CLIENT_SECRET=UNT3GPzCKI7zUbhAmFSUGbj4wmiBDGiW

Enable the OpenID Connect plugin

Using the Keycloak and Kong Gateway configuration from the prerequisites, set up an instance of the OpenID Connect plugin. In this example, we’re using the simple password grant with the preferred_username Consumer claim.

Enable the OpenID Connect plugin on the example-service Service:

echo '
_format_version: "3.0"
plugins:
  - name: openid-connect
    service: example-service
    config:
      issuer: "${{ env "DECK_ISSUER" }}"
      client_id:
      - "${{ env "DECK_CLIENT_ID" }}"
      client_secret:
      - "${{ env "DECK_CLIENT_SECRET" }}"
      client_auth:
      - client_secret_post
      auth_methods:
      - password
      consumer_claim:
      - preferred_username
      consumer_by:
      - username
' | deck gateway apply -

In this example:

  • issuer, client ID, client secret, and client auth: Settings that connect the plugin to your IdP (in this case, the sample Keycloak app).
  • auth_methods: Specifies that the plugin should use the password grant, for easy testing.
  • consumer_claim and consumer_by : Looks for a preferred_username in the token payload and maps it to the Consumer entity by the entity’s username value.

Note: Setting config.client_auth to client_secret_post lets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.

Create a Consumer

First, let’s try to access the Service without a matching Consumer. Request the Service with the basic authentication credentials created in the prerequisites:

curl -i -X GET "$KONNECT_PROXY_URL/anything" \
     -u alex:doe

curl -i -X GET "http://localhost:8000/anything" \
     -u alex:doe

You should get a 403 Forbidden error code, which means the Service is protected by authentication.

Create a Consumer with a username that matches the user in your IdP, in this case alex:

echo '
_format_version: "3.0"
consumers:
  - username: alex
' | deck gateway apply -

Verify Consumer authorization

Now, your configured Consumer can access the example-route Route by using their username and password in username:password format:

curl -i -X GET "$KONNECT_PROXY_URL/anything" \
     -u alex:doe

curl -i -X GET "http://localhost:8000/anything" \
     -u alex:doe

This time, you should get a 200 response. The OIDC plugin decodes the token it receives from the IdP, finds the preferred_username value, and maps it to our Consumer alex.

In the response, you’ll see that the plugin added the X-Consumer-Id and X-Consumer-Username as request headers, and returned an Authorization bearer token:

"Authorization": "Bearer abcxyz...",
"X-Consumer-Id": "some-uuid",
"X-Consumer-Username": "alex"

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d

FAQs

When using Consumer authorization, is Consumer mapping required?

Consumer mapping is required by default, but you can make Consumer mapping optional and non-authorizing by setting the OpenID Connect plugin’s configuration parameter config.consumer_optional to true.

Can I use Consumer mapping with ACL allow/deny lists?

Yes, you can combine the Consumer claim with the authorization group claim to further secure your environment. See the how-to on configuring OIDC with ACL groups for more information.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support