You are browsing documentation for an older version.
See the latest documentation here.
OIDC Authenticated Group Mapping
Using Kong’s OpenID Connect plugin (OIDC), you can map identity provider (IdP)
groups to Kong roles. Adding a user to Kong in this way gives them access to
Kong based on their group in the IdP.
After starting Kong Gateway with the desired configuration, you can
create new admins whose usernames match those in your IdP. Those
users will then be able to accept invitations to join Kong Manager and log in
with their IdP credentials.
If an admin’s group changes in the IdP, their Kong admin account’s associated
role also changes in Kong Gateway the next time they log in through Kong
Manager. The mapping removes the task of manually managing access in
Kong Gateway, as it makes the IdP the system of record.
Here’s how OIDC authenticated group mapping works:
- Create roles in Kong Gateway using either the Kong Admin API or Kong
Manager.
- Create groups and associate roles with the groups.
- Configure the OIDC plugin to connect with your IdP.
- When users log in to Kong Manager, they get permissions based on the IdP
group(s) they belong to.
Prerequisites
Create Kong Groups and Assign Roles
Note: The following examples assume that you have RBAC enabled with
Basic Auth and are transitioning to OpenID Connect.
Kong Manager
Kong Admin API
Create a group and assign a role to it:
- Open Teams from the top navigation.
- Click the Groups tab.
- Click Create New Group.
-
Set the Group Name to match your IdP group.
Note: Group names are case-sensitive. Make sure to match your IdP
group name exactly.
- (Optional) In the Comment field, enter a description for the group.
- Click on Add/Edit Roles, then choose a workspace and a role.
- Save the role assignment, then click Create.
Create an admin for the group:
- Open the Teams from the top navigation.
- Click the Admins tab.
- Click Invite Admin.
-
Enter a username and email, and optionally a custom ID to make the admin
easy for you to identify.
Note: Make sure the username exactly matches the admin’s name in
your IdP.
- Ensure the Enable RBAC token checkbox is checked.
- Save the role assignment, then click Invite Admin.
-
Create a group, making sure the group name
parameter matches your IdP group
name:
$ curl -X POST --url http://localhost:8001/groups \
--header 'content-type: application/json' \
--header 'kong-admin-token: <yourtoken>' \
--data '{
"comment": "example group",
"name": "examplegroup"
}'
Note: Group names are case-sensitive. Make sure to match your IdP group
name exactly.
-
Assign a role to the group:
$ curl -X POST --url http://localhost:8001/groups/{group-id}/roles \
--header 'content-type: application/json' \
--header 'kong-admin-token: <yourtoken>' \
--data '{
"rbac_role_id": "e948171e-699c-4035-9b74-2b2b576d9644",
"workspace_id": "236bfa99-cf09-4389-afa8-e2bd6da89fd3"
}'
Where:
-
Create an admin for the group:
$ curl -X POST --url http://localhost:8001/admins \
--header 'content-type: application/json' \
--header 'kong-admin-token: <yourtoken>' \
--data '{
"username": "<someusername>",
"custom_id": "<examplename>",
"email": "<your-email@company.com>",
"rbac_token_enabled": true
}'
Notice how in the instructions above, you did not assign a role to your
admin. The role will be matched with the role assigned to them in the IdP.
Apply OIDC Auth Mapping to Kong Gateway
Kubernetes with Helm
Docker
kong.conf
-
Create a configuration file for the OIDC plugin and save it as
admin_gui_auth_conf
. For group mapping, you must include the
authenticated_groups_claim
parameter as part of this configuration.
For example, the configuration should look something like this:
{
"issuer": "<https://my-auth-url>",
"client_id": ["<someid>"],
"client_secret": ["<somesecret>"],
"consumer_by": ["username","custom_id"],
"ssl_verify": false,
"consumer_claim": ["sub"],
"leeway": 60,
"redirect_uri": ["<http://manager.admin-hostname.com>"],
"login_redirect_uri": ["<http://manager.admin-hostname.com>"],
"logout_methods": ["GET", "DELETE"],
"logout_query_arg": "logout",
"logout_redirect_uri": ["<http://manager.admin-hostname.com>"],
"scopes": ["openid","profile","email","offline_access"],
"authenticated_groups_claim": ["groups"],
"auth_methods": ["authorization_code"]
}
For detailed descriptions of all the parameters used here, and many other
customization options, see the OpenID Connect parameter reference.
-
Create a secret from the file you just created:
$ kubectl create secret generic kong-idp-conf --from-file=admin_gui_auth_conf -n kong
-
Update the RBAC section of the deployment values.yml
file with the
following parameters:
rbac:
enabled: true
admin_gui_auth: openid-connect
session_conf_secret: kong-session-conf
admin_gui_auth_conf_secret: kong-idp-conf
-
Using Helm, upgrade the deployment with your YAML filename:
$ helm upgrade --install kong-ee kong/kong -f ./myvalues.yaml -n kong
If you have a Docker installation, run the following command to set the needed
environment variables and reload the Kong Gateway configuration.
Substitute all variables in angled brackets (< >
) with your own values:
$ echo "
KONG_ENFORCE_RBAC=on \
KONG_ADMIN_GUI_AUTH=openid-connect \
KONG_ADMIN_GUI_AUTH_CONF='{
\"issuer\": \"<https://my-auth-url>\",
\"client_id\": [\"<someid>\"],
\"client_secret\": [\"<somesecret>\"],
\"consumer_by\": [\"username\",\"custom_id\"],
\"ssl_verify\": false,
\"consumer_claim\": [\"sub\"],
\"leeway\": 60,
\"redirect_uri\": [\"<http://manager.admin-hostname.com>\"],
\"login_redirect_uri\": [\"<http://manager.admin-hostname.com>\"],
\"logout_methods\": [\"GET\", \"DELETE\"],
\"logout_query_arg\": \"logout\",
\"logout_redirect_uri\": [\"<http://manager.admin-hostname.com>\"],
\"scopes\": [\"openid\",\"profile\",\"email\",\"offline_access\"],
\"authenticated_groups_claim\": [\"groups\"],
\"auth_methods\": [\"authorization_code\"]
}' kong reload exit" | docker exec -i <kong-container-id> /bin/sh
Replace <kong-container-id>
with the ID of your container.
-
Navigate to your kong.conf
file.
-
With RBAC enabled, add the admin_gui_auth
and admin_gui_auth_conf
properties to the file:
enforce_rbac = on
admin_gui_auth = openid-connect
admin_gui_auth_conf = {
"issuer": "<https://my-auth-url>",
"client_id": ["<someid>"],
"client_secret": ["<somesecret>"],
"consumer_by": ["username","custom_id"],
"ssl_verify": false,
"consumer_claim": ["sub"],
"leeway": 60,
"redirect_uri": ["<http://manager.admin-hostname.com>"],
"login_redirect_uri": ["<http://manager.admin-hostname.com>"],
"logout_methods": ["GET", "DELETE"],
"logout_query_arg": "logout",
"logout_redirect_uri": ["<http://manager.admin-hostname.com>"],
"scopes": ["openid","profile","email","offline_access"],
"authenticated_groups_claim": ["groups"],
"auth_methods": ["authorization_code"]
}
For detailed descriptions of all the parameters used here, and many other
customization options, see the OpenID Connect parameter reference.
-
Restart Kong Gateway to apply the file.
$ kong restart -c /path/to/kong.conf