JWT access token authentication
Configure the OpenID Connect plugin with JWT access token authentication.
Here’s how JWT access token auth works:
sequenceDiagram autonumber participant client as Client
(e.g. mobile app) participant kong as API Gateway
(Kong) participant httpbin as Upstream
(upstream service,
e.g. httpbin) activate client activate kong client->>kong: Service with
access token deactivate client kong->>kong: load access token kong->>kong: verify signature kong->>kong: verify claims activate httpbin kong->>httpbin: request with
access token httpbin->>kong: response deactivate httpbin activate client kong->>client: response deactivate kong deactivate client
In this example, the plugin will only accept a bearer token sent in a query string,
but you can also set the bearer_token_param_type
parameter to body
, header
, or any combination of these values.
For a complete example of authenticating with a JWT access token using Keycloak, see the tutorial for configuring OpenID Connect with JWT authentication.
Note: Setting
config.client_auth
toclient_secret_post
lets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.
Prerequisites
- A configured identity provider (IdP)
Environment variables
-
ISSUER
: The issuer authentication URL for your IdP. For example, if you’re using Keycloak as your IdP, the issuer URL looks like this:http://localhost:8080/realms/example-realm
-
CLIENT_ID
: The client ID that the plugin uses when it calls authenticated endpoints of the IdP. -
CLIENT_SECRET
: The client secret needed to connect to your IdP.