OpenID Connect with Curity

Integrate Kong Gateway and the Curity Identity Server for introspection using the Phantom Token pattern.

The OpenID Connect plugin introspects an incoming opaque access token and receives a JWT in the introspection response from the Curity Identity Server. As part of the introspection, the OpenID Connect plugin validates that required scopes are available in the introspected token.

  • If the correct scopes are missing, access to the requested upstream service is denied.
  • If access is granted, the JWT from the introspection response is added to a header and forwarded to the upstream service where it can be consumed.

Prerequisites

Environment variables

  • ISSUER: The issuer authentication URL for your IdP. For Curity, that typically looks like this: https://idsvr.example.com/oauth/v2/oauth-anonymous.

  • CLIENT_ID: The client ID that the plugin uses when it calls authenticated endpoints of the IdP.

  • CLIENT_SECRET: The client secret needed to connect to Curity.

Set up the plugin

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: openid-connect
    config:
      issuer: ${{ env "DECK_ISSUER" }}
      client_id:
      - ${{ env "DECK_CLIENT_ID" }}
      client_secret:
      - ${{ env "DECK_CLIENT_SECRET" }}
      scopes_required:
      - openid
      hide_credentials: true
      upstream_access_token_header: nil
      upstream_headers_claims:
      - phantom_token
      upstream_headers_names:
      - phantom_token
      auth_methods:
      - introspection
Copied to clipboard!

Did this doc help?

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!