Password grant

Configure the OpenID Connect plugin to use the password grant.

This is a legacy authentication grant, as it’s less secure than other flows.

Here’s how the password grant works:

 
sequenceDiagram
    autonumber
    participant client as Client 
(e.g. mobile app) participant kong as API Gateway
(Kong) participant idp as IdP
(e.g. Keycloak) participant httpbin as Upstream
(upstream service,
e.g. httpbin) activate client activate kong client->>kong: Service with
basic authentication deactivate client kong->>kong: load
basic authentication
credentials activate idp kong->>idp: IdP/token with
client credentials and
password grant deactivate kong idp->>idp: authenticate client and
verify password grant activate kong idp->>kong: return tokens deactivate idp kong->>kong: verify tokens activate httpbin kong->>httpbin: request with access token httpbin->>kong: response deactivate httpbin activate client kong->>client: response deactivate kong deactivate client

In this example, the OpenID Connect plugin will only accept the password sent in a header, but you can also set the config.bearer_token_param_type parameter to body, query, cookie, or any combination of these values.

We’re also passing the client secret in the body of the request. You can pass the secret in more secure ways by using a different config.client_auth option.

For a complete example of authenticating with a username and password pair using Keycloak, see the tutorial for configuring OpenID Connect with the password grant.

Note: Setting config.client_auth to client_secret_post lets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.

Prerequisites

  • A configured identity provider (IdP)

Environment variables

  • ISSUER: The issuer authentication URL for your IdP. For example, if you’re using Keycloak as your IdP, the issuer URL looks like this: http://localhost:8080/realms/example-realm

  • CLIENT_ID: The client ID that the plugin uses when it calls authenticated endpoints of the IdP.

  • CLIENT_SECRET: The client secret needed to connect to your IdP.

Set up the plugin

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!