Home / How-to Guides
Edit
Report

Configure OpenID Connect with Kong Oauth2 token authentication

Uses: Kong Gateway decK
Related Documentation
All Gateway Documentation
All decK Documentation
Incompatible with
konnect
Tags
#authentication #openid-connect
Related Resources
OpenID Connect in Kong Gateway
Authentication in Kong Gateway
OpenID Connect authentication flows and grants
Kong OAuth2 token authentication workflow
OpenID Connect tutorials
Minimum Version
Kong Gateway - 3.4
TL;DR

Using the OpenID Connect plugin, set up the OAuth2 authentication workflow with the OAuth2 plugin to retrieve and verify tokens from Kong Gateway, then use them with an IdP.

Prerequisites

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to install decK.

Pre-configured entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. Run the following command:

    echo '
_format_version: "3.0"
services:
  - name: example-service
    url: http://httpbin.konghq.com/anything
routes:
  - name: example-route
    paths:
    - "/anything"
    service:
      name: example-service
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

Set up Keycloak

This tutorial requires an identity provider (IdP). If you don’t have one, you can use Keycloak. The steps will be similar in other standard identity providers.

Create a client

  1. Install Keycloak (version 26 or later) on your platform.

    For example, you can use the Keycloak Docker image:

     docker run -p 8080:8080 \
   -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
   -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
   quay.io/keycloak/keycloak start-dev

  2. Open the admin console.

    The default URL of the console is http://$YOUR_KEYCLOAK_HOST:8080/admin/master/console/.

  3. In the sidebar, open Clients, then click Create client.
  4. Configure the client:

Section

Settings
General settings
  • Client type: OpenID Connect
  • Client ID: any unique name, for example kong
Capability config
  • Toggle Client authentication to on
  • Make sure that Standard flow, Direct access grants, and Service accounts roles are checked.
Login settings Valid redirect URIs: http://localhost:8000/*

Set up keys and credentials

  1. In your client, open the Credentials tab.
  2. Set Client Authenticator to Client ID and Secret.
  3. Copy the Client Secret.
  4. Switch to the Users menu and add a user.
  5. Open the user’s Credentials tab and add a password. Be sure to disable Temporary Password.

In this guide, we’re going to use an example user named alex with the password doe.

Export to environment variables

Export your client secret, client ID, and issuer URL to environment variables so that you can pass them more securely. For example:

export DECK_ISSUER=http://host.docker.internal:8080/realms/master
export DECK_CLIENT_ID=kong
export DECK_CLIENT_SECRET=UNT3GPzCKI7zUbhAmFSUGbj4wmiBDGiW

Create a Consumer with OAuth2 credentials

First, create a Consumer and assign OAuth2 credentials to them. We’ll use these credentials to generate access tokens.

echo '
_format_version: "3.0"
consumers:
  - username: alex
    oauth2_credentials:
    - client_secret: secret
      client_id: client
      hash_secret: true
      name: oauth2-app
' | deck gateway apply -

Enable the OAuth2 plugin

The OAuth2 plugin adds an OAuth 2.0 authentication layer to Kong Gateway and lets you generate access tokens for Consumers.

First, you’ll need a key to provision the plugin. Generate a UUID and export it to an environment variable:

export DECK_PROVISION_KEY=$(uuidgen)

Apply the OAuth2 plugin to the example-route Route you created in the prerequisites:

echo '
_format_version: "3.0"
plugins:
  - name: oauth2
    route: example-route
    config:
      global_credentials: true
      enable_client_credentials: true
      provision_key: "${{ env "DECK_PROVISION_KEY" }}"
' | deck gateway apply -

Enable the OpenID Connect plugin with Kong OAuth token authentication

Using the Keycloak and Kong Gateway configuration from the prerequisites, set up an instance of the OpenID Connect plugin with Kong OAuth token authentication.

Enable the OpenID Connect plugin on the example-service Service:

echo '
_format_version: "3.0"
plugins:
  - name: openid-connect
    service: example-service
    config:
      issuer: "${{ env "DECK_ISSUER" }}"
      client_id:
      - "${{ env "DECK_CLIENT_ID" }}"
      client_secret:
      - "${{ env "DECK_CLIENT_SECRET" }}"
      client_auth:
      - client_secret_post
      auth_methods:
      - kong_oauth2
      bearer_token_param_type:
      - header
' | deck gateway apply -

In this example:

  • issuer, client ID, client secret, and client auth: Settings that connect the plugin to your IdP (in this case, the sample Keycloak app).
  • auth_methods: Specifies that the plugin should use Kong’s OAuth2 token for authentication.
  • bearer_token_param_type: Restricts token lookup to the request headers only.

Note: Setting config.client_auth to client_secret_post lets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.

Retrieve the access token

Retrieve the token from the OAuth token endpoint:

curl -X POST --insecure https://localhost:8443/anything/oauth2/token \
  --data "client_id=client" \
  --data "client_secret=secret" \
  --data "grant_type=client_credentials"

You should see an access-token in the response.

Export the token to an environment variable:

export ACCESS_TOKEN='YOUR_ACCESS_TOKEN'

Validate the access token flow

Now, validate the setup by accessing the example-route Route and passing the bearer token you received from the Kong OAuth plugin:

curl -i -X GET "http://localhost:8000/anything" \
     -H "Authorization: Bearer $ACCESS_TOKEN"

If Kong Gateway successfully authenticates with Keycloak, you’ll see a 200 response with your bearer token in the Authorization header.

If you make another request using the same credentials, you’ll see that Kong Gateway adds less latency to the request because it has cached the token endpoint call to Keycloak:

X-Kong-Proxy-Latency: 25

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support
OSZAR »