User info authentication
Configure the OpenID Connect plugin to use user info authentication.
Here’s how user info auth works:
sequenceDiagram autonumber participant client as Client
(e.g. mobile app) participant kong as API Gateway
(Kong) participant idp as IdP
(e.g. Keycloak) participant httpbin as Upstream
(upstream service,
e.g. httpbin) activate client activate kong client->>kong: Service with
access token deactivate client kong->>kong: load access token activate idp kong->>idp: IdP/userinfo
with client credentials
and access token deactivate kong idp->>idp: authenticate client and
verify token activate kong idp->>kong: return user info
response deactivate idp kong->>kong: verify response
status code (200) activate httpbin kong->>httpbin: request with access token httpbin->>kong: response deactivate httpbin activate client kong->>client: response deactivate kong deactivate client
In this example, the OpenID Connect plugin will only accept bearer tokens sent in a header,
but you can also set the bearer_token_param_type
parameter to body
, query
, or any combination of these values.
For a complete example of authenticating with a token retrieved through Keycloak’s user info endpoint, see the tutorial for configuring OpenID Connect with user info.
Note: Setting
config.client_auth
toclient_secret_post
lets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.
Prerequisites
- A configured identity provider (IdP)
Environment variables
-
ISSUER
: The issuer authentication URL for your IdP. For example, if you’re using Keycloak as your IdP, the issuer URL looks like this:http://localhost:8080/realms/example-realm
-
CLIENT_ID
: The client ID that the plugin uses when it calls authenticated endpoints of the IdP. -
CLIENT_SECRET
: The client secret needed to connect to your IdP.