Mutual TLS client authentication
Configure the OpenID Connect plugin to use mutual TLS (mTLS) client authentication.
The following uses the password grant, but you can use any supported OpenID Connect auth method.
The configuration option config.tls_client_auth_ssl_verify controls whether the server (IdP) certificate is verified.
When set to true (default), ensure that trusted certificate and verify depth are appropriately configured so that the IdP’s server certificate is trusted by Kong Gateway.
Prerequisites
-
A configured identity provider (IdP) configured with mTLS and X.509 client certificate authentication
-
A client certificate and key pair stored in a Certificate object
Environment variables
-
ISSUER: The issuer authentication URL for your IdP. For example, if you’re using Keycloak as your IdP, the issuer URL looks like this:http://localhost:8080/realms/example-realm. -
CLIENT_ID: The client ID that the plugin uses when it calls authenticated endpoints of the IdP. -
CERTIFICATE_ID: The UUID of a Certificate object in Kong Gateway, which contains a client cert and key pair.
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: openid-connect
config:
issuer: ${{ env "DECK_ISSUER" }}
client_id:
- ${{ env "DECK_CLIENT_ID" }}
client_auth:
- tls_client_auth
auth_methods:
- password
tls_client_auth_cert_id: ${{ env "DECK_CERTIFICATE_ID" }}
tls_client_auth_ssl_verify: true
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_auth": [
"tls_client_auth"
],
"auth_methods": [
"password"
],
"tls_client_auth_cert_id": "'$CERTIFICATE_ID'",
"tls_client_auth_ssl_verify": true
}
}
'
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_auth": [
"tls_client_auth"
],
"auth_methods": [
"password"
],
"tls_client_auth_cert_id": "'$CERTIFICATE_ID'",
"tls_client_auth_ssl_verify": true
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: openid-connect
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
labels:
global: 'true'
config:
issuer: '$ISSUER'
client_id:
- '$CLIENT_ID'
client_auth:
- tls_client_auth
auth_methods:
- password
tls_client_auth_cert_id: '$CERTIFICATE_ID'
tls_client_auth_ssl_verify: true
plugin: openid-connect
" | kubectl apply -f -
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
enabled = true
config = {
issuer = var.issuer
client_id = [var.client_id]
client_auth = ["tls_client_auth"]
auth_methods = ["password"]
tls_client_auth_cert_id = var.certificate_id
tls_client_auth_ssl_verify = true
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "certificate_id" {
type = string
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: openid-connect
service: serviceName|Id
config:
issuer: ${{ env "DECK_ISSUER" }}
client_id:
- ${{ env "DECK_CLIENT_ID" }}
client_auth:
- tls_client_auth
auth_methods:
- password
tls_client_auth_cert_id: ${{ env "DECK_CERTIFICATE_ID" }}
tls_client_auth_ssl_verify: true
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_auth": [
"tls_client_auth"
],
"auth_methods": [
"password"
],
"tls_client_auth_cert_id": "'$CERTIFICATE_ID'",
"tls_client_auth_ssl_verify": true
}
}
'
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_auth": [
"tls_client_auth"
],
"auth_methods": [
"password"
],
"tls_client_auth_cert_id": "'$CERTIFICATE_ID'",
"tls_client_auth_ssl_verify": true
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: openid-connect
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
issuer: '$ISSUER'
client_id:
- '$CLIENT_ID'
client_auth:
- tls_client_auth
auth_methods:
- password
tls_client_auth_cert_id: '$CERTIFICATE_ID'
tls_client_auth_ssl_verify: true
plugin: openid-connect
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=openid-connect
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
enabled = true
config = {
issuer = var.issuer
client_id = [var.client_id]
client_auth = ["tls_client_auth"]
auth_methods = ["password"]
tls_client_auth_cert_id = var.certificate_id
tls_client_auth_ssl_verify = true
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "certificate_id" {
type = string
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: openid-connect
route: routeName|Id
config:
issuer: ${{ env "DECK_ISSUER" }}
client_id:
- ${{ env "DECK_CLIENT_ID" }}
client_auth:
- tls_client_auth
auth_methods:
- password
tls_client_auth_cert_id: ${{ env "DECK_CERTIFICATE_ID" }}
tls_client_auth_ssl_verify: true
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_auth": [
"tls_client_auth"
],
"auth_methods": [
"password"
],
"tls_client_auth_cert_id": "'$CERTIFICATE_ID'",
"tls_client_auth_ssl_verify": true
}
}
'
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_auth": [
"tls_client_auth"
],
"auth_methods": [
"password"
],
"tls_client_auth_cert_id": "'$CERTIFICATE_ID'",
"tls_client_auth_ssl_verify": true
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: openid-connect
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
issuer: '$ISSUER'
client_id:
- '$CLIENT_ID'
client_auth:
- tls_client_auth
auth_methods:
- password
tls_client_auth_cert_id: '$CERTIFICATE_ID'
tls_client_auth_ssl_verify: true
plugin: openid-connect
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=openid-connect
kubectl annotate -n kong ingress konghq.com/plugins=openid-connect
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
enabled = true
config = {
issuer = var.issuer
client_id = [var.client_id]
client_auth = ["tls_client_auth"]
auth_methods = ["password"]
tls_client_auth_cert_id = var.certificate_id
tls_client_auth_ssl_verify = true
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "certificate_id" {
type = string
}