Authorization code flow

This example configures the OpenID Connect plugin with an authorization code flow.

Here’s how the auth code flow works:

 
sequenceDiagram
    autonumber
    participant client as Client 
(e.g. mobile app) participant kong as API Gateway
(Kong) participant idp as IdP
(e.g. Keycloak) participant httpbin as Upstream
(upstream service,
e.g. httpbin) activate client activate kong client->>kong: HTTP request kong->>client: Redirect mobile app to IDP deactivate kong activate idp client->>idp: Request access and authentication
with client parameter Note left of idp: /auth
response_type=code,
scope=openid idp->>client: Login (ask for consent) client->>idp: /auth with user credentials (grant consent) idp->>client: Return authorization code and redirect Note left of idp: short-lived authcode activate kong client->>kong: HTTP redirect with authorization code deactivate client kong->>kong: Verify authorization code flow kong->>idp: Request ID token, access token, and refresh token Note left of idp: /token
client_id:client_secret
authcode idp->>idp: Authenticate client (Kong)
and validate authcode idp->>kong: Returns tokens Note left of idp: ID token, access token, and refresh token deactivate idp kong->>kong: Validate tokens Note right of kong: Cryptographic
signature validation,
expiry check
(OIDC Standard JWT validation) activate client kong->>client: Redirect with session cookie
having session ID (SID) Note left of kong: sid: cryptorandom bytes
(128 bits)
& HMAC protected client->>kong: Authenticated request with session cookie deactivate client kong->>kong: Verify session cookie Note right of kong: Retrieve encrypted tokens
from session store (redis) activate httpbin kong->>httpbin: Backend service request with tokens Note right of idp: Access token and ID token httpbin->>kong: Backend service response deactivate httpbin activate client kong->>client: HTTP response deactivate kong deactivate client

For a full example that shows you how to set up the authorization code flow with Keycloak, see Configure OpenID Connect with the auth code flow.

Note: Setting config.client_auth to client_secret_post lets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.

Prerequisites

  • A configured identity provider (IdP)

Environment variables

  • ISSUER: The issuer authentication URL for your IdP. For example, if you’re using Keycloak as your IdP, the issuer URL looks like this: http://localhost:8080/realms/example-realm

  • CLIENT_ID: The client ID that the plugin uses when it calls authenticated endpoints of the IdP.

  • CLIENT_SECRET: The client secret needed to connect to your IdP.

Set up the plugin

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!