OpenID Connect: Token validation for multiple IdPs - Plugin

Token validation for multiple IdPsv1.0+

You can verify tokens issued by multiple IdP using the extra_jwks_uris configuration option, with the following considerations:

Since the plugin only accepts a single issuer, any iss claim verification will fail for tokens that come from a different IdP than the one that was used in the issuer configuration option. Add all issuers as they appear in the iss claims of your tokens to the config.issuers_allowed setting.
If you make any changes to the extra_jwks_uris value, you have to clear the second level DB cache for the change to become effective. See Delete a Discovery Cache Object.

This example shows how to configure two different extra_jwks_uris to support token validation for two different IdPs.

Prerequisites

A configured identity provider (IdP)

Environment variables

ISSUER: The issuer authentication URL for your IdP. For example, if you’re using Keycloak as your IdP, the issuer URL looks like this: http://localhost:8080/realms/example-realm

Set up the plugin

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: openid-connect
    config:
      issuer: ${{ env "DECK_ISSUER" }}
      auth_methods:
      - bearer
      extra_jwks_uris:
      - example-host1/auth/realms/other/protocol/openid-connect/certs
      - example-host2/oauth2/some-id/v1/keys
      issuers_allowed:
      - issuer-url-for-example-host1
      - issuer-url-for-example-host2
      verify_signature: true
      verify_claims: false

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "auth_methods": [
          "bearer"
        ],
        "extra_jwks_uris": [
          "example-host1/auth/realms/other/protocol/openid-connect/certs",
          "example-host2/oauth2/some-id/v1/keys"
        ],
        "issuers_allowed": [
          "issuer-url-for-example-host1",
          "issuer-url-for-example-host2"
        ],
        "verify_signature": true,
        "verify_claims": false
      },
      "tags": []
    }
    '

Copied!

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "auth_methods": [
          "bearer"
        ],
        "extra_jwks_uris": [
          "example-host1/auth/realms/other/protocol/openid-connect/certs",
          "example-host2/oauth2/some-id/v1/keys"
        ],
        "issuers_allowed": [
          "issuer-url-for-example-host1",
          "issuer-url-for-example-host2"
        ],
        "verify_signature": true,
        "verify_claims": false
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: openid-connect
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
  labels:
    global: 'true'
config:
  issuer: '$ISSUER'
  auth_methods:
  - bearer
  extra_jwks_uris:
  - example-host1/auth/realms/other/protocol/openid-connect/certs
  - example-host2/oauth2/some-id/v1/keys
  issuers_allowed:
  - issuer-url-for-example-host1
  - issuer-url-for-example-host2
  verify_signature: true
  verify_claims: false
plugin: openid-connect
" | kubectl apply -f -

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
  enabled = true

  config = {
    issuer = var.issuer
    auth_methods = ["bearer"]
    extra_jwks_uris = ["example-host1/auth/realms/other/protocol/openid-connect/certs", "example-host2/oauth2/some-id/v1/keys"]
    issuers_allowed = ["issuer-url-for-example-host1", "issuer-url-for-example-host2"]
    verify_signature = true
    verify_claims = false
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "issuer" {
  type = string
}

Copied!

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: openid-connect
    service: serviceName|Id
    config:
      issuer: ${{ env "DECK_ISSUER" }}
      auth_methods:
      - bearer
      extra_jwks_uris:
      - example-host1/auth/realms/other/protocol/openid-connect/certs
      - example-host2/oauth2/some-id/v1/keys
      issuers_allowed:
      - issuer-url-for-example-host1
      - issuer-url-for-example-host2
      verify_signature: true
      verify_claims: false

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "auth_methods": [
          "bearer"
        ],
        "extra_jwks_uris": [
          "example-host1/auth/realms/other/protocol/openid-connect/certs",
          "example-host2/oauth2/some-id/v1/keys"
        ],
        "issuers_allowed": [
          "issuer-url-for-example-host1",
          "issuer-url-for-example-host2"
        ],
        "verify_signature": true,
        "verify_claims": false
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "auth_methods": [
          "bearer"
        ],
        "extra_jwks_uris": [
          "example-host1/auth/realms/other/protocol/openid-connect/certs",
          "example-host2/oauth2/some-id/v1/keys"
        ],
        "issuers_allowed": [
          "issuer-url-for-example-host1",
          "issuer-url-for-example-host2"
        ],
        "verify_signature": true,
        "verify_claims": false
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.
serviceId: The id of the service the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: openid-connect
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
config:
  issuer: '$ISSUER'
  auth_methods:
  - bearer
  extra_jwks_uris:
  - example-host1/auth/realms/other/protocol/openid-connect/certs
  - example-host2/oauth2/some-id/v1/keys
  issuers_allowed:
  - issuer-url-for-example-host1
  - issuer-url-for-example-host2
  verify_signature: true
  verify_claims: false
plugin: openid-connect
" | kubectl apply -f -

Copied!

Next, apply the KongPlugin resource by annotating the service resource:

kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=openid-connect

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
  enabled = true

  config = {
    issuer = var.issuer
    auth_methods = ["bearer"]
    extra_jwks_uris = ["example-host1/auth/realms/other/protocol/openid-connect/certs", "example-host2/oauth2/some-id/v1/keys"]
    issuers_allowed = ["issuer-url-for-example-host1", "issuer-url-for-example-host2"]
    verify_signature = true
    verify_claims = false
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "issuer" {
  type = string
}

Copied!

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: openid-connect
    route: routeName|Id
    config:
      issuer: ${{ env "DECK_ISSUER" }}
      auth_methods:
      - bearer
      extra_jwks_uris:
      - example-host1/auth/realms/other/protocol/openid-connect/certs
      - example-host2/oauth2/some-id/v1/keys
      issuers_allowed:
      - issuer-url-for-example-host1
      - issuer-url-for-example-host2
      verify_signature: true
      verify_claims: false

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "auth_methods": [
          "bearer"
        ],
        "extra_jwks_uris": [
          "example-host1/auth/realms/other/protocol/openid-connect/certs",
          "example-host2/oauth2/some-id/v1/keys"
        ],
        "issuers_allowed": [
          "issuer-url-for-example-host1",
          "issuer-url-for-example-host2"
        ],
        "verify_signature": true,
        "verify_claims": false
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "auth_methods": [
          "bearer"
        ],
        "extra_jwks_uris": [
          "example-host1/auth/realms/other/protocol/openid-connect/certs",
          "example-host2/oauth2/some-id/v1/keys"
        ],
        "issuers_allowed": [
          "issuer-url-for-example-host1",
          "issuer-url-for-example-host2"
        ],
        "verify_signature": true,
        "verify_claims": false
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.
routeId: The id of the route the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: openid-connect
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
config:
  issuer: '$ISSUER'
  auth_methods:
  - bearer
  extra_jwks_uris:
  - example-host1/auth/realms/other/protocol/openid-connect/certs
  - example-host2/oauth2/some-id/v1/keys
  issuers_allowed:
  - issuer-url-for-example-host1
  - issuer-url-for-example-host2
  verify_signature: true
  verify_claims: false
plugin: openid-connect
" | kubectl apply -f -

Copied!

Next, apply the KongPlugin resource by annotating the httproute or ingress resource:

kubectl annotate -n kong httproute  konghq.com/plugins=openid-connect

Copied!

kubectl annotate -n kong ingress  konghq.com/plugins=openid-connect

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
  enabled = true

  config = {
    issuer = var.issuer
    auth_methods = ["bearer"]
    extra_jwks_uris = ["example-host1/auth/realms/other/protocol/openid-connect/certs", "example-host2/oauth2/some-id/v1/keys"]
    issuers_allowed = ["issuer-url-for-example-host1", "issuer-url-for-example-host2"]
    verify_signature = true
    verify_claims = false
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "issuer" {
  type = string
}

Copied!

OpenID Connect

Token validation for multiple IdPsv1.0+

Prerequisites

Environment variables

Set up the plugin

Help us make these docs great!

Still need help?