OpenID Connect: OpenID Connect with Azure AD - Plugin

OpenID Connect with Azure AD

Authenticate browser clients using an Azure AD identity provider.

The following configuration example allows users to authenticate and access the upstream service even though no Consumer was created for them. This means any user with a valid account in the directory will have access. If you want to restrict access further, you have several options:

Domain restrictions: Azure AD doesn’t provide identity tokens with the hd claim, so the OIDC plugin’s domains configuration can’t restrict users based on their domain. Using a single-tenant application will restrict access to users in your directory only. Multi-tenant apps allow users with Microsoft accounts from other directories and optionally any Microsoft account (for example live.com or Xbox accounts) to sign in.
Consumer mapping: If you need to interact with other Kong Gateway plugins using consumer information, you can map account data received from the IdP to a Kong Gateway Consumer. See OIDC with Consumer authorization.
Pseudo-Consumer mapping: For plugins that typically require Consumers, the OIDC plugin can provide a Consumer ID based on the value of a claim without mapping to an actual Consumer. Setting credential_claim to a claim in your plugin configuration extracts the value of that claim and uses it where Kong Gateway would normally use a Consumer ID. Similarly, setting authenticated_groups_claim extracts that claim’s value and uses it as a group for the ACL plugin.

Note: Azure AD provides two interfaces for its OAuth2/OIDC-related endpoints: v1.0 and v2.0. Support for some legacy v1.0 behavior is still available on v2.0, including use of v1.0 tokens by default, which is not compatible with Kong Gateway’s OIDC implementation. To force Azure AD to use v2.0 tokens, edit your application manifest and set accessTokenAcceptedVersion to 2 and include a CLIENT_ID/.default scope in your plugin configuration (see example).

Prerequisites

A Gateway Service and Route secured with HTTPS.
In Azure AD, configure an authorized redirect URI that is handled by your Route.
In Azure AD, register an app and add a client secret credential that this plugin will use to access it.

Environment variables

ISSUER: The issuer authentication URL for your IdP. For Azure AD, that typically looks like this: https://login.microsoftonline.com/$DIRECTORY/v2.0/.well-known/openid-configuration. You can find this URL by clicking Endpoints on your app registration’s Overview page.
CLIENT_ID: The client ID that the plugin uses when it calls authenticated endpoints of the IdP, shown on your Azure AD app registration’s Overview page.
CLIENT_SECRET: The URL-encoded representation of the secret you created in the Azure AD Certificates & Secrets section.
REDIRECT_URI: The URI you specified when configuring your app. If you didn’t add one initially, you can add a redirect URI via the Authentication section of the app settings.

Set up the plugin

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: openid-connect
    config:
      issuer: ${{ env "DECK_ISSUER" }}
      client_id:
      - ${{ env "DECK_CLIENT_ID" }}
      client_secret:
      - ${{ env "DECK_CLIENT_SECRET" }}
      redirect_uri:
      - ${{ env "DECK_REDIRECT_URI" }}
      scopes:
      - openid
      - email
      - profile
      - ${{ env "DECK_CLIENT_ID" }}/.default
      verify_parameters: false

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "client_id": [
          "'$CLIENT_ID'"
        ],
        "client_secret": [
          "'$CLIENT_SECRET'"
        ],
        "redirect_uri": [
          "'$REDIRECT_URI'"
        ],
        "scopes": [
          "openid",
          "email",
          "profile",
          "'$CLIENT_ID'/.default"
        ],
        "verify_parameters": false
      }
    }
    '

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "client_id": [
          "'$CLIENT_ID'"
        ],
        "client_secret": [
          "'$CLIENT_SECRET'"
        ],
        "redirect_uri": [
          "'$REDIRECT_URI'"
        ],
        "scopes": [
          "openid",
          "email",
          "profile",
          "'$CLIENT_ID'/.default"
        ],
        "verify_parameters": false
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: openid-connect
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: 'true'
config:
  issuer: '$ISSUER'
  client_id:
  - '$CLIENT_ID'
  client_secret:
  - '$CLIENT_SECRET'
  redirect_uri:
  - '$REDIRECT_URI'
  scopes:
  - openid
  - email
  - profile
  - '$CLIENT_ID/.default'
  verify_parameters: false
plugin: openid-connect
" | kubectl apply -f -

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
  enabled = true

  config = {
    issuer = var.issuer
    client_id = [var.client_id]
    client_secret = [var.client_secret]
    redirect_uri = [var.redirect_uri]
    scopes = ["openid", "email", "profile", var.client_id/.default]
    verify_parameters = false
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "redirect_uri" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: openid-connect
    service: serviceName|Id
    config:
      issuer: ${{ env "DECK_ISSUER" }}
      client_id:
      - ${{ env "DECK_CLIENT_ID" }}
      client_secret:
      - ${{ env "DECK_CLIENT_SECRET" }}
      redirect_uri:
      - ${{ env "DECK_REDIRECT_URI" }}
      scopes:
      - openid
      - email
      - profile
      - ${{ env "DECK_CLIENT_ID" }}/.default
      verify_parameters: false

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "client_id": [
          "'$CLIENT_ID'"
        ],
        "client_secret": [
          "'$CLIENT_SECRET'"
        ],
        "redirect_uri": [
          "'$REDIRECT_URI'"
        ],
        "scopes": [
          "openid",
          "email",
          "profile",
          "'$CLIENT_ID'/.default"
        ],
        "verify_parameters": false
      }
    }
    '

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "client_id": [
          "'$CLIENT_ID'"
        ],
        "client_secret": [
          "'$CLIENT_SECRET'"
        ],
        "redirect_uri": [
          "'$REDIRECT_URI'"
        ],
        "scopes": [
          "openid",
          "email",
          "profile",
          "'$CLIENT_ID'/.default"
        ],
        "verify_parameters": false
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
serviceId: The id of the service the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: openid-connect
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  issuer: '$ISSUER'
  client_id:
  - '$CLIENT_ID'
  client_secret:
  - '$CLIENT_SECRET'
  redirect_uri:
  - '$REDIRECT_URI'
  scopes:
  - openid
  - email
  - profile
  - '$CLIENT_ID/.default'
  verify_parameters: false
plugin: openid-connect
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the service resource:

kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=openid-connect

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
  enabled = true

  config = {
    issuer = var.issuer
    client_id = [var.client_id]
    client_secret = [var.client_secret]
    redirect_uri = [var.redirect_uri]
    scopes = ["openid", "email", "profile", var.client_id/.default]
    verify_parameters = false
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "redirect_uri" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: openid-connect
    route: routeName|Id
    config:
      issuer: ${{ env "DECK_ISSUER" }}
      client_id:
      - ${{ env "DECK_CLIENT_ID" }}
      client_secret:
      - ${{ env "DECK_CLIENT_SECRET" }}
      redirect_uri:
      - ${{ env "DECK_REDIRECT_URI" }}
      scopes:
      - openid
      - email
      - profile
      - ${{ env "DECK_CLIENT_ID" }}/.default
      verify_parameters: false

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "client_id": [
          "'$CLIENT_ID'"
        ],
        "client_secret": [
          "'$CLIENT_SECRET'"
        ],
        "redirect_uri": [
          "'$REDIRECT_URI'"
        ],
        "scopes": [
          "openid",
          "email",
          "profile",
          "'$CLIENT_ID'/.default"
        ],
        "verify_parameters": false
      }
    }
    '

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "client_id": [
          "'$CLIENT_ID'"
        ],
        "client_secret": [
          "'$CLIENT_SECRET'"
        ],
        "redirect_uri": [
          "'$REDIRECT_URI'"
        ],
        "scopes": [
          "openid",
          "email",
          "profile",
          "'$CLIENT_ID'/.default"
        ],
        "verify_parameters": false
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
routeId: The id of the route the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: openid-connect
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  issuer: '$ISSUER'
  client_id:
  - '$CLIENT_ID'
  client_secret:
  - '$CLIENT_SECRET'
  redirect_uri:
  - '$REDIRECT_URI'
  scopes:
  - openid
  - email
  - profile
  - '$CLIENT_ID/.default'
  verify_parameters: false
plugin: openid-connect
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the httproute or ingress resource:

kubectl annotate -n kong httproute  konghq.com/plugins=openid-connect

kubectl annotate -n kong ingress  konghq.com/plugins=openid-connect

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
  enabled = true

  config = {
    issuer = var.issuer
    client_id = [var.client_id]
    client_secret = [var.client_secret]
    redirect_uri = [var.redirect_uri]
    scopes = ["openid", "email", "profile", var.client_id/.default]
    verify_parameters = false
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "redirect_uri" {
  type = string
}

OpenID Connect

OpenID Connect with Azure AD

Prerequisites

Environment variables

Set up the plugin

Help us make these docs great!

Still need help