Demonstrating Proof-of-Possession (DPoP)

Configure the OpenID Connect plugin for Demonstrating Proof-of-Possession by using the proof_of_possession_dpop configuration option.

Here’s how DPoP works:

 
sequenceDiagram
    autonumber
    participant client as Client 
(e.g. mobile app) participant kong as API Gateway
(Kong Gateway) participant upstream as Upstream
(backend service,
e.g. httpbin) participant idp as Authentication Server
(e.g. Keycloak) activate client client->>client: generate key pair client->>idp: POST /oauth2/token
DPoP:$PROOF deactivate client activate idp idp-->>client: DPoP bound access token ($AT) activate client deactivate idp client->>kong: GET https://example.com/resource
Authorization: DPoP $AT
DPoP: $PROOF activate kong deactivate client kong->>kong: validate $AT and $PROOF kong->>upstream: proxied request
GET https://example.com/resource
Authorization: Bearer $AT deactivate kong activate upstream upstream-->>kong: upstream response deactivate upstream activate kong kong-->>client: response deactivate kong

This method binds the access token to a JSON Web Key (JWK) provided by the client.

Prerequisites

  • A configured identity provider (IdP) with DPoP enabled

Environment variables

  • ISSUER: The well-known issuer endpoint of your IdP, for example http://keycloak.test:8080/realms/master.

  • CLIENT_ID: The client ID that the plugin uses when it calls authenticated endpoints of the IdP.

  • CLIENT_SECRET: The client secret needed to connect to your IdP.

Set up the plugin

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!