Configure OpenID Connect with the password grant
Using the OpenID Connect plugin, set up the password grant flow to connect to an identity provider (IdP) by passing a username and password in a header.
Prerequisites
Kong Konnect
This is a Konnect tutorial and requires a Konnect personal access token.
-
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT' -
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-outputThis sets up a Konnect Control Plane named
quickstart, provisions a local Data Plane, and prints out the following environment variable exports:export DECK_KONNECT_TOKEN=$KONNECT_TOKEN export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com export KONNECT_PROXY_URL='http://localhost:8000'Copy and paste these into your terminal to configure your session.
Kong Gateway running
This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.
-
Export your license to an environment variable:
export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE' -
Run the quickstart script:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATAOnce Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
decK
decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to install decK.
Required entities
For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:
-
Run the following command:
echo ' _format_version: "3.0" services: - name: example-service url: http://httpbin.konghq.com/anything routes: - name: example-route paths: - "/anything" service: name: example-service ' | deck gateway apply -
To learn more about entities, you can read our entities documentation.
Set up Keycloak
This tutorial requires an identity provider (IdP). If you don’t have one, you can use Keycloak. The steps will be similar in other standard identity providers.
Create a client
-
Install Keycloak (version 26 or later) on your platform.
For example, you can use the Keycloak Docker image:
docker run -p 8080:8080 \ -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \ -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \ quay.io/keycloak/keycloak start-dev -
Open the admin console.
The default URL of the console is
http://$YOUR_KEYCLOAK_HOST:8080/admin/master/console/. - In the sidebar, open Clients, then click Create client.
- Configure the client:
|
Section |
Settings |
|---|---|
| General settings |
|
| Capability config |
|
| Login settings |
Valid redirect URIs: http://localhost:8000/*
|
Set up keys and credentials
- In your client, open the Credentials tab.
- Set Client Authenticator to Client ID and Secret.
- Copy the Client Secret.
- Switch to the Users menu and add a user.
- Open the user’s Credentials tab and add a password. Be sure to disable Temporary Password.
In this guide, we’re going to use an example user named alex with the password doe.
Export to environment variables
Export your client secret, client ID, and issuer URL to environment variables so that you can pass them more securely. For example:
export DECK_ISSUER=http://host.docker.internal:8080/realms/master
export DECK_CLIENT_ID=kong
export DECK_CLIENT_SECRET=UNT3GPzCKI7zUbhAmFSUGbj4wmiBDGiW
Enable the OpenID Connect plugin with the password grant
Using the Keycloak and Kong Gateway configuration from the prerequisites, set up an instance of the OpenID Connect plugin with the password grant.
Enable the OpenID Connect plugin on the example-service Service:
echo '
_format_version: "3.0"
plugins:
- name: openid-connect
service: example-service
config:
issuer: "${{ env "DECK_ISSUER" }}"
client_id:
- "${{ env "DECK_CLIENT_ID" }}"
client_secret:
- "${{ env "DECK_CLIENT_SECRET" }}"
client_auth:
- client_secret_post
auth_methods:
- password
password_param_type:
- header
' | deck gateway apply -
In this example:
-
issuer,client ID,client secret, andclient auth: Settings that connect the plugin to your IdP (in this case, the sample Keycloak app). -
auth_methods: Specifies that the plugin should use the password grant for authentication. -
password_param_type: Restricts username and password lookup to request headers only.
Note: Setting
config.client_authtoclient_secret_postlets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.
Validate the password grant
Now, validate the setup by accessing the example-route Route and passing the user credentials in username:password format.
The following user has the username alex and the password doe:
curl -i -X GET "$KONNECT_PROXY_URL/anything" \
-u alex:doe
curl -i -X GET "http://localhost:8000/anything" \
-u alex:doe
If Kong Gateway successfully authenticates with Keycloak, you’ll see a 200 response with your bearer token in the Authorization header.
If you make another request using the same credentials, you’ll see that Kong Gateway adds less latency to the request because it has cached the token endpoint call to Keycloak:
X-Kong-Proxy-Latency: 25
Cleanup
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.
Destroy the Kong Gateway container
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d