OpenID Connect with Oktav1.0+
Authenticate browser clients using Okta.
The following configuration example allows users to authenticate and access the upstream service even though no Consumer was created for them. This means any user with a valid account in the directory will have access. If you want to restrict access further, you have several options:
- Consumer mapping: If you need to interact with other Kong Gateway plugins using Consumer information, you can map account data received from the IdP to a Kong Gateway Consumer. See OIDC with Consumer authorization.
-
Pseudo-Consumer mapping: For plugins that typically require Consumers, the OIDC plugin can provide a Consumer ID based on the value of a claim without mapping to an actual Consumer.
Setting
credential_claimto a claim in your plugin configuration extracts the value of that claim and uses it where Kong Gateway would normally use a Consumer ID. Similarly, settingauthenticated_groups_claimextracts that claim’s value and uses it as a group for the ACL plugin.
For a full tutorial with this example, see Configure OpenID Connect with the authorization code flow and Okta.
Prerequisites
-
A developer account with Okta.
-
A Gateway Service and Route secured with HTTPS.
-
A registered application in Okta pointing to the Kong Gateway Route.
-
Any network access control to your Kong Gateway node must allow traffic to and from Okta, the upstream service, and the client.
Environment variables
-
ISSUER: The issuer authentication URL for your IdP. For Okta, that typically looks like this:https://{oktaDomain}/oauth2/{authServer}/.well-known/openid-configuration. -
CLIENT_ID: The client ID that the plugin uses when it calls authenticated endpoints of the IdP. -
CLIENT_SECRET: The client secret needed to connect to your IdP. -
REDIRECT_URI: Theredirect_uriof the client defined withclient_id.
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: openid-connect
config:
issuer: ${{ env "DECK_ISSUER" }}
client_id:
- ${{ env "DECK_CLIENT_ID" }}
client_secret:
- ${{ env "DECK_CLIENT_SECRET" }}
redirect_uri:
- ${{ env "DECK_REDIRECT_URI" }}
scopes_claim:
- scp
scopes:
- openid
- email
- profile
auth_methods:
- authorization_code
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_secret": [
"'$CLIENT_SECRET'"
],
"redirect_uri": [
"'$REDIRECT_URI'"
],
"scopes_claim": [
"scp"
],
"scopes": [
"openid",
"email",
"profile"
],
"auth_methods": [
"authorization_code"
]
}
}
'
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_secret": [
"'$CLIENT_SECRET'"
],
"redirect_uri": [
"'$REDIRECT_URI'"
],
"scopes_claim": [
"scp"
],
"scopes": [
"openid",
"email",
"profile"
],
"auth_methods": [
"authorization_code"
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: openid-connect
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
labels:
global: 'true'
config:
issuer: '$ISSUER'
client_id:
- '$CLIENT_ID'
client_secret:
- '$CLIENT_SECRET'
redirect_uri:
- '$REDIRECT_URI'
scopes_claim:
- scp
scopes:
- openid
- email
- profile
auth_methods:
- authorization_code
plugin: openid-connect
" | kubectl apply -f -
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
enabled = true
config = {
issuer = var.issuer
client_id = [var.client_id]
client_secret = [var.client_secret]
redirect_uri = [var.redirect_uri]
scopes_claim = ["scp"]
scopes = ["openid", "email", "profile"]
auth_methods = ["authorization_code"]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redirect_uri" {
type = string
}
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: openid-connect
service: serviceName|Id
config:
issuer: ${{ env "DECK_ISSUER" }}
client_id:
- ${{ env "DECK_CLIENT_ID" }}
client_secret:
- ${{ env "DECK_CLIENT_SECRET" }}
redirect_uri:
- ${{ env "DECK_REDIRECT_URI" }}
scopes_claim:
- scp
scopes:
- openid
- email
- profile
auth_methods:
- authorization_code
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_secret": [
"'$CLIENT_SECRET'"
],
"redirect_uri": [
"'$REDIRECT_URI'"
],
"scopes_claim": [
"scp"
],
"scopes": [
"openid",
"email",
"profile"
],
"auth_methods": [
"authorization_code"
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_secret": [
"'$CLIENT_SECRET'"
],
"redirect_uri": [
"'$REDIRECT_URI'"
],
"scopes_claim": [
"scp"
],
"scopes": [
"openid",
"email",
"profile"
],
"auth_methods": [
"authorization_code"
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: openid-connect
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
issuer: '$ISSUER'
client_id:
- '$CLIENT_ID'
client_secret:
- '$CLIENT_SECRET'
redirect_uri:
- '$REDIRECT_URI'
scopes_claim:
- scp
scopes:
- openid
- email
- profile
auth_methods:
- authorization_code
plugin: openid-connect
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=openid-connect
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
enabled = true
config = {
issuer = var.issuer
client_id = [var.client_id]
client_secret = [var.client_secret]
redirect_uri = [var.redirect_uri]
scopes_claim = ["scp"]
scopes = ["openid", "email", "profile"]
auth_methods = ["authorization_code"]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redirect_uri" {
type = string
}
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: openid-connect
route: routeName|Id
config:
issuer: ${{ env "DECK_ISSUER" }}
client_id:
- ${{ env "DECK_CLIENT_ID" }}
client_secret:
- ${{ env "DECK_CLIENT_SECRET" }}
redirect_uri:
- ${{ env "DECK_REDIRECT_URI" }}
scopes_claim:
- scp
scopes:
- openid
- email
- profile
auth_methods:
- authorization_code
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_secret": [
"'$CLIENT_SECRET'"
],
"redirect_uri": [
"'$REDIRECT_URI'"
],
"scopes_claim": [
"scp"
],
"scopes": [
"openid",
"email",
"profile"
],
"auth_methods": [
"authorization_code"
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_secret": [
"'$CLIENT_SECRET'"
],
"redirect_uri": [
"'$REDIRECT_URI'"
],
"scopes_claim": [
"scp"
],
"scopes": [
"openid",
"email",
"profile"
],
"auth_methods": [
"authorization_code"
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: openid-connect
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
issuer: '$ISSUER'
client_id:
- '$CLIENT_ID'
client_secret:
- '$CLIENT_SECRET'
redirect_uri:
- '$REDIRECT_URI'
scopes_claim:
- scp
scopes:
- openid
- email
- profile
auth_methods:
- authorization_code
plugin: openid-connect
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=openid-connect
kubectl annotate -n kong ingress konghq.com/plugins=openid-connect
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
enabled = true
config = {
issuer = var.issuer
client_id = [var.client_id]
client_secret = [var.client_secret]
redirect_uri = [var.redirect_uri]
scopes_claim = ["scp"]
scopes = ["openid", "email", "profile"]
auth_methods = ["authorization_code"]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redirect_uri" {
type = string
}