In this approach, Kong Gateway acts as a federated authentication broker maintaining a registry of trusted issuers and their public key endpoints.
The plugin inspects the iss claim of an incoming bearer token, looks up the matching JWKS endpoint from the configured list, validates the token signature and standard claims, then forwards the verified request upstream.
No token transformation occurs.
sequenceDiagram
participant C as Client
participant K as API Gateway
with OIDC plugin
participant IdPA as IdP A
(primary issuer)
participant IdPB as IdP B
(via extra_jwks_uris)
participant U as Upstream
(backend service)
C->>K: Request with bearer token
activate K
K->>K: Extract iss claim from token
alt If iss matches IdP A
K->>IdPA: Fetch JWKS (if not cached)
IdPA-->>K: Public keys
else If iss matches IdP B
K->>IdPB: Fetch JWKS (if not cached)
IdPB-->>K: Public keys
end
K->>K: Verify signature
K->>K: Check iss against issuers_allowed
K->>U: Proxy request with original token
activate U
U-->>K: Response
deactivate U
K-->>C: Response
deactivate K
Configure the following OIDC plugin settings:
-
config.issuers_allowed: Allowlist of issuer URLs the plugin will accept.
Add every IdP’s issuer URL here, exactly as it appears in the iss claim of their tokens.
-
config.extra_jwks_uris: Additional JWKS endpoints for each IdP beyond the primary config.issuer.
The plugin checks the primary discovery JWKS first, then falls back to these.
This approach works best when tokens issued by each IdP follow the same claim naming conventions.
Note: The plugin uses config.issuer for discovery and to identify the primary issuer.
Tokens from other IdPs will fail iss claim verification unless you set config.verify_claims to false and control allowed issuers via config.issuers_allowed instead.
If you update config.extra_jwks_uris after the plugin is already configured, clear the discovery cache for the change to take effect.
The following example configures the OIDC plugin to accept tokens from two identity providers.
The first IdP is the primary config.issuer, while the second is added via config.extra_jwks_uris:
config:
issuer: https://idp-a.example.com
auth_methods:
- bearer
extra_jwks_uris:
- https://idp-b.example.com/oauth2/v1/keys
issuers_allowed:
- https://idp-a.example.com
- https://idp-b.example.com
verify_signature: true
verify_claims: false
In this example, a client authenticated with idp-a presents a bearer token.
Kong Gateway validates it against idp-a’s JWKS and checks the issuer against config.issuers_allowed.
The same flow applies to a client from idp-b.
Both reach the upstream service without any token transformation.
For more detail and a complete walkthrough: