Session authentication
Configure the OpenID Connect plugin to issue session cookies that can be used for further session authentication.
Here’s how session auth works:
sequenceDiagram autonumber participant client as Client
(e.g. mobile app) participant kong as API Gateway
(Kong) participant httpbin as Upstream
(upstream service,
e.g. httpbin) activate client activate kong client->>kong: Service with
session cookie deactivate client kong->>kong: load session cookie kong->>kong: verify session activate httpbin kong->>httpbin: request with
access token httpbin->>kong: response deactivate httpbin activate client kong->>client: response deactivate kong deactivate client
For a complete example of retrieving, storing, and using session cookies for authentication with Keycloak, see the tutorial for configuring OpenID Connect with session authentication.
Note: Setting
config.client_auth
toclient_secret_post
lets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.
Prerequisites
- A configured identity provider (IdP)
Environment variables
-
ISSUER
: The issuer authentication URL for your IdP. For example, if you’re using Keycloak as your IdP, the issuer URL looks like this:http://localhost:8080/realms/example-realm
-
CLIENT_ID
: The client ID that the plugin uses when it calls authenticated endpoints of the IdP. -
CLIENT_SECRET
: The client secret needed to connect to your IdP.